From 72c51de304da103430da42ab24e503525b61e24c Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Thu, 29 Apr 2021 11:15:20 -0700 Subject: [PATCH] GP auth: don't modify URL path if it ends with .esp If the URL path ends with .esp (possibly followed by a query string, e.g. /ssl-vpn/prelogin.esp?magic_parameter=123), then let's assume that the user knows exactly what they're doing and that we shouldn't rewrite the path. This will help with GP auth tests, by allowing us to get parameters into the test session setup (just as fake-{f5,fortinet,juniper}-server.py do), in order to configure gateways, 2FA requirement, etc. Signed-off-by: Daniel Lenski --- auth-globalprotect.c | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) diff --git a/auth-globalprotect.c b/auth-globalprotect.c index ac7e183e..55ceba65 100644 --- a/auth-globalprotect.c +++ b/auth-globalprotect.c @@ -559,16 +559,27 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login /* Ask the user to fill in the auth form; repeat as necessary */ for (;;) { + int keep_urlpath = 0; + if (vpninfo->urlpath) { + /* XX: If the path ends with .esp (possibly followed by a query string), leave as-is */ + const char *esp = strstr(vpninfo->urlpath, ".esp"); + if (esp && (esp[4] == '\0' || esp[4] == '?')) + keep_urlpath = 1; + } + if (!keep_urlpath) { + orig_path = vpninfo->urlpath; + if (asprintf(&vpninfo->urlpath, "%s/prelogin.esp?tmp=tmp&clientVer=4100&clientos=%s", + portal ? "global-protect" : "ssl-vpn", gpst_os_name(vpninfo)) < 0) { + result = -ENOMEM; + goto out; + } + } /* submit prelogin request to get form */ - orig_path = vpninfo->urlpath; - if (asprintf(&vpninfo->urlpath, "%s/prelogin.esp?tmp=tmp&clientVer=4100&clientos=%s", - portal ? "global-protect" : "ssl-vpn", gpst_os_name(vpninfo)) < 0) { - result = -ENOMEM; - goto out; + result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, 1); + if (!keep_urlpath) { + free(vpninfo->urlpath); + vpninfo->urlpath = orig_path; } - result = do_https_request(vpninfo, "POST", NULL, NULL, &xml_buf, 0); - free(vpninfo->urlpath); - vpninfo->urlpath = orig_path; if (result >= 0) result = gpst_xml_or_error(vpninfo, xml_buf, parse_prelogin_xml, NULL, ctx); -- 2.50.1