http: Don't leak the webvpn cookie in XML POST mode

XML POST mode introduces a new header in the <auth> response.  Squash it
so that people don't inadvertently post logs containing webvpn cookies.

Signed-off-by: Kevin Cernekee <cernekee@gmail.com>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>

diff --git a/cstp.c b/cstp.c
index d57d7418e5c015c84a2b5acf4bc7bdd4a4771da9..48962120770038223a7c67172d032175aa5e6e5d 100644 (file)
--- a/cstp.c
+++ b/cstp.c
@@ -310,7 +310,11 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
                        return -ENOMEM;
                }
 
-               vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
+               /* This contains the whole document, including the webvpn cookie. */
+               if (!strcasecmp(buf, "X-CSTP-Post-Auth-XML"))
+                       vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, _("<elided>"));
+               else
+                       vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
 
                if (!strncmp(buf, "X-DTLS-", 7)) {
                        *next_dtls_option = new_option;