From: Stefan Bühler <source@stbuehler.de>
Date: Wed, 19 Jun 2024 14:01:10 +0000 (+0200)
Subject: Don't default form action to '/' in AnyConnect/OpenConnect XML form handling (fixes... 
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=82c73c5e5fbd5add10a85ac7e5148c21d2bf591a;p=users%2Fdwmw2%2Fopenconnect.git

Don't default form action to '/' in AnyConnect/OpenConnect XML form handling (fixes #737)

Still require action to be non-empty if present.

Form action "redirect" handling code in auth.c already works with
action==NULL (as in not building a new URL).  (It'd do weird things
with an empty action though.)

Signed-off-by: Stefan Bühler <source@stbuehler.de>
---

diff --git a/auth.c b/auth.c
index 8255e91a..cf12ea29 100644
--- a/auth.c
+++ b/auth.c
@@ -452,13 +452,15 @@ static int parse_auth_node(struct openconnect_info *vpninfo, xmlNode *xml_node,
 
 			/* defaults for new XML POST */
 			form->method = strdup("POST");
-			form->action = strdup("/");
 
 			xmlnode_get_prop(xml_node, "method", &form->method);
 			xmlnode_get_prop(xml_node, "action", &form->action);
 
-			if (!form->method || !form->action ||
-			    strcasecmp(form->method, "POST") || !form->action[0]) {
+			/* - expect unset action (reuse current URL) or non-empty action="..."
+			 * - expect unset method (defaults to "POST") or explicit method="POST"
+			 */
+			if ((form->action && !form->action[0]) ||
+			    !form->method || strcasecmp(form->method, "POST")) {
 				vpn_progress(vpninfo, PRG_ERR,
 					     _("Cannot handle form method='%s', action='%s'\n"),
 					     form->method, form->action);
diff --git a/www/changelog.xml b/www/changelog.xml
index f4f46363..a1482968 100644
--- a/www/changelog.xml
+++ b/www/changelog.xml
@@ -35,6 +35,7 @@
        <li>Enable DTLSv1.0 to continue working with OpenSSL v3.1.0 and newer (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/504">!504</a>, <a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/536">!536</a>).</li>
        <li>Fix bug that caused OpenConnect to incorrectly log the remaining time until a re-key or periodic Trojan (<a href="https://gitlab.com/openconnect/openconnect/-/issues/677">#677</a>, <a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/539">!539</a>)</li>
        <li>Fix bug that prevented GlobalProtect ESP from working correctly when the server sends both Legacy IP and IPv6 versions of the ESP "magic ping" address, but no IPv6 client address (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/565">!565</a>)</li>
+       <li>Use the full URI (including "usergroup" or path) as specified in <tt>--server</tt> for all requests during authentication instead of only the first one (<a href="https://gitlab.com/openconnect/openconnect/-/merge_requests/560">!560</a>).</li>
      </ul><br/>
   </li>
   <li><b><a href="https://www.infradead.org/openconnect/download/openconnect-9.12.tar.gz">OpenConnect v9.12</a></b>