while ((i = openconnect_SSL_gets(vpninfo->https_ssl, buf, sizeof(buf)))) {
char *colon;
- vpninfo->progress(vpninfo, PRG_TRACE, "%s\n", buf);
-
if (i < 0) {
vpninfo->progress(vpninfo, PRG_ERR, "Error processing HTTP response\n");
return -EINVAL;
if (*colon == ' ')
colon++;
+ /* Handle Set-Cookie first so that we can avoid printing the
+ webvpn cookie in the verbose debug output */
+ if (!strcasecmp(buf, "Set-Cookie")) {
+ char *semicolon = strchr(colon, ';');
+ char *print_equals, *equals = strchr(colon, '=');
+ int ret;
+
+ if (semicolon)
+ *semicolon = 0;
+
+ if (!equals) {
+ vpninfo->progress(vpninfo, PRG_ERR, "Invalid cookie offered: %s\n", buf);
+ return -EINVAL;
+ }
+ *(equals++) = 0;
+
+ print_equals = equals;
+ /* Don't print the webvpn cookie; we don't want people posting it
+ in public with debugging output */
+ if (!strcmp(colon, "webvpn"))
+ print_equals = "<elided>";
+ vpninfo->progress(vpninfo, PRG_TRACE, "%s: %s=%s%s%s\n",
+ buf, colon, print_equals, semicolon?";":"",
+ semicolon?(semicolon+1):"");
+
+ ret = http_add_cookie(vpninfo, colon, equals);
+ if (ret)
+ return ret;
+ } else {
+ vpninfo->progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
+ }
+
if (!strcasecmp(buf, "Connection")) {
if (!strcasecmp(colon, "Close"))
closeconn = 1;
return -EINVAL;
}
}
- if (!strcasecmp(buf, "Set-Cookie")) {
- char *semicolon = strchr(colon, ';');
- char *equals = strchr(colon, '=');
- int ret;
-
- if (semicolon)
- *semicolon = 0;
-
- if (!equals) {
- vpninfo->progress(vpninfo, PRG_ERR, "Invalid cookie offered: %s\n", buf);
- return -EINVAL;
- }
- *(equals++) = 0;
-
- ret = http_add_cookie(vpninfo, colon, equals);
- if (ret)
- return ret;
- }
if (!strcasecmp(buf, "Transfer-Encoding")) {
if (!strcasecmp(colon, "chunked"))
bodylen = BODY_CHUNKED;
There is a mailing list at <TT><A
HREF="mailto:openconnect-devel@lists.infradead.org">
openconnect-devel@lists.infradead.org</A></TT>. To subscribe, visit the <A
-HREF="http://lists.infradead.org/mailman/listinfo/openconnect-devel">Mailman admin page</A>.
+HREF="http://lists.infradead.org/mailman/listinfo/openconnect-devel">Mailman admin page</A>. Before posting to the list, read this:
+<P>
+<B>SECURITY WARNING:</B><BR>
+If you are posting debugging output from openconnect to the mailing list, do <em>not</em> include a line which looks like this:
+
+<BR><TT>Set-Cookie: webvpn=835278264@921600@1221512527@6B9EC24DEB2F59E242F75B424D42F223D0912984;PATH=/</TT><BR>
+That HTTP cookie is all that's needed to grant access to the VPN session you just logged in to — it's almost as bad as giving your password away. Version 2.26 or later of OpenConnect will automatically filter this out of the debugging output for you.
<H2>TODO</H2>
<UL>
<UL>
<LI><B>OpenConnect HEAD</B><BR>
<UL>
- <LI><I>No changelog entries yet</I></LI>
+ <LI>Don't print <TT>webvpn</TT> cookie in debug output.</LI>
</UL><BR>
</LI>
<LI><B><A HREF="ftp://ftp.infradead.org/pub/openconnect/openconnect-2.25.tar.gz">OpenConnect v2.25</a></B> — 2010-05-15<BR>
<hr>
<address>David Woodhouse <<A HREF="mailto:dwmw2@infradead.org">dwmw2@infradead.org</A>></address>
<!-- hhmts start -->
-Last modified: Thu May 27 10:58:11 BST 2010
+Last modified: Sat Aug 7 10:19:33 BST 2010
<!-- hhmts end -->
</body> </html>