Fix Fortinet realm name extraction

1. We were inadvertently capturing 6 characters following the 'realm'
   parameter in the query string (e.g.  '&lang=').  Fix and include extra
   parameters in tests to verify.
2. Add another comment about how the 'realm' field is saved in URL-escaped
   form, and test to verify.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/fortinet.c b/fortinet.c
index d7ce369d5b6b55338dc2e8d8e3bb6d2e8084dc39..75b178138e75902a73c8ad151b702247773ba87c 100644 (file)
--- a/fortinet.c
+++ b/fortinet.c
@@ -124,7 +124,7 @@ int fortinet_obtain_cookie(struct openconnect_info *vpninfo)
                for (realm = strchr(vpninfo->urlpath, '?'); realm && *++realm; realm=strchr(realm, '&')) {
                        if (!strncmp(realm, "realm=", 6)) {
                                const char *end = strchrnul(realm+1, '&');
-                               realm = strndup(realm+6, end-realm);
+                               realm = strndup(realm+6, end-realm-6);
                                vpn_progress(vpninfo, PRG_INFO, _("Got login realm '%s'\n"), realm);
                                break;
                        }

diff --git a/tests/fake-fortinet-server.py b/tests/fake-fortinet-server.py
index 8dd636fbb69d336119868e8b47d0b47d4d99829b..07079bfa13ca743bae9f9c2803bfc4e0298348a5 100755 (executable)
--- a/tests/fake-fortinet-server.py
+++ b/tests/fake-fortinet-server.py
@@ -90,7 +90,7 @@ def realm(realm=None):
     session.update(step='GET-realm', want_2fa=int(request.args.get('want_2fa', 0)))
     # print(session)
     if realm:
-        return redirect(url_for('login', realm=realm))
+        return redirect(url_for('login', realm=realm, lang='en'))
     else:
         return login()
 

diff --git a/tests/fortinet-auth-and-config b/tests/fortinet-auth-and-config
index e569bebdac43a5f31e8a1a325930ae9c7cc761f0..32c1cb4342658997a48f5a9bece9a82ea613dbe0 100755 (executable)
--- a/tests/fortinet-auth-and-config
+++ b/tests/fortinet-auth-and-config
@@ -60,7 +60,7 @@ echo -n "Authenticating with username/password/(2 round of token) and DEFAULT pa
 echo ok
 
 echo -n "Authenticating with username/password/token and NON-DEFAULT path... "
-( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=fortinet -q $ADDRESS:443/fakeRealm?want_2fa=1 -u test --token-mode=totp --token-secret=FAKE $FINGERPRINT --pfs --cookieonly >/dev/null 2>&1) ||
+( echo "test" | LD_PRELOAD=libsocket_wrapper.so $OPENCONNECT --protocol=fortinet -q $ADDRESS:443/fake+Realm?want_2fa=1 -u test --token-mode=totp --token-secret=FAKE $FINGERPRINT --pfs --cookieonly --dump) ||
     fail $PID "Could not receive cookie from fake Fortinet server"
 
 echo ok