GP auth: don't modify URL path if it ends with .esp

If the URL path ends with .esp (possibly followed by a query string, e.g.
/ssl-vpn/prelogin.esp?magic_parameter=123), then let's assume that the user
knows exactly what they're doing and that we shouldn't rewrite the path.

This will help with GP auth tests, by allowing us to get parameters into the
test session setup (just as fake-{f5,fortinet,juniper}-server.py do), in
order to configure gateways, 2FA requirement, etc.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index ac7e183e685f798ea07d816158c2856270e0511e..55ceba65edc6701acb1930d893132976853ebd9e 100644 (file)
--- a/auth-globalprotect.c
+++ b/auth-globalprotect.c
@@ -559,16 +559,27 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login
 
        /* Ask the user to fill in the auth form; repeat as necessary */
        for (;;) {
+               int keep_urlpath = 0;
+               if (vpninfo->urlpath) {
+                       /* XX: If the path ends with .esp (possibly followed by a query string), leave as-is */
+                       const char *esp = strstr(vpninfo->urlpath, ".esp");
+                       if (esp && (esp[4] == '\0' || esp[4] == '?'))
+                               keep_urlpath = 1;
+               }
+               if (!keep_urlpath) {
+                       orig_path = vpninfo->urlpath;
+                       if (asprintf(&vpninfo->urlpath, "%s/prelogin.esp?tmp=tmp&clientVer=4100&clientos=%s",
+                                    portal ? "global-protect" : "ssl-vpn", gpst_os_name(vpninfo)) < 0) {
+                               result = -ENOMEM;
+                               goto out;
+                       }
+               }
                /* submit prelogin request to get form */
-               orig_path = vpninfo->urlpath;
-               if (asprintf(&vpninfo->urlpath, "%s/prelogin.esp?tmp=tmp&clientVer=4100&clientos=%s",
-                            portal ? "global-protect" : "ssl-vpn", gpst_os_name(vpninfo)) < 0) {
-                       result = -ENOMEM;
-                       goto out;
+               result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, 1);
+               if (!keep_urlpath) {
+                       free(vpninfo->urlpath);
+                       vpninfo->urlpath = orig_path;
                }
-               result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, 0);
-               free(vpninfo->urlpath);
-               vpninfo->urlpath = orig_path;
 
                if (result >= 0)
                        result = gpst_xml_or_error(vpninfo, xml_buf, parse_prelogin_xml, NULL, ctx);