From: Daniel Lenski Date: Thu, 29 Apr 2021 18:15:20 +0000 (-0700) Subject: GP auth: don't modify URL path if it ends with .esp X-Git-Tag: v8.20~230^2~3 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=72c51de304da103430da42ab24e503525b61e24c;p=users%2Fdwmw2%2Fopenconnect.git GP auth: don't modify URL path if it ends with .esp If the URL path ends with .esp (possibly followed by a query string, e.g. /ssl-vpn/prelogin.esp?magic_parameter=123), then let's assume that the user knows exactly what they're doing and that we shouldn't rewrite the path. This will help with GP auth tests, by allowing us to get parameters into the test session setup (just as fake-{f5,fortinet,juniper}-server.py do), in order to configure gateways, 2FA requirement, etc. Signed-off-by: Daniel Lenski --- diff --git a/auth-globalprotect.c b/auth-globalprotect.c index ac7e183e..55ceba65 100644 --- a/auth-globalprotect.c +++ b/auth-globalprotect.c @@ -559,16 +559,27 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login /* Ask the user to fill in the auth form; repeat as necessary */ for (;;) { + int keep_urlpath = 0; + if (vpninfo->urlpath) { + /* XX: If the path ends with .esp (possibly followed by a query string), leave as-is */ + const char *esp = strstr(vpninfo->urlpath, ".esp"); + if (esp && (esp[4] == '\0' || esp[4] == '?')) + keep_urlpath = 1; + } + if (!keep_urlpath) { + orig_path = vpninfo->urlpath; + if (asprintf(&vpninfo->urlpath, "%s/prelogin.esp?tmp=tmp&clientVer=4100&clientos=%s", + portal ? "global-protect" : "ssl-vpn", gpst_os_name(vpninfo)) < 0) { + result = -ENOMEM; + goto out; + } + } /* submit prelogin request to get form */ - orig_path = vpninfo->urlpath; - if (asprintf(&vpninfo->urlpath, "%s/prelogin.esp?tmp=tmp&clientVer=4100&clientos=%s", - portal ? "global-protect" : "ssl-vpn", gpst_os_name(vpninfo)) < 0) { - result = -ENOMEM; - goto out; + result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, 1); + if (!keep_urlpath) { + free(vpninfo->urlpath); + vpninfo->urlpath = orig_path; } - result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, 0); - free(vpninfo->urlpath); - vpninfo->urlpath = orig_path; if (result >= 0) result = gpst_xml_or_error(vpninfo, xml_buf, parse_prelogin_xml, NULL, ctx);