Skip to content
Browse files
http: Don't leak the webvpn cookie in XML POST mode
XML POST mode introduces a new header in the <auth> response.  Squash it
so that people don't inadvertently post logs containing webvpn cookies.

Signed-off-by: Kevin Cernekee <>
Signed-off-by: David Woodhouse <>
  • Loading branch information
cernekee authored and David Woodhouse committed Mar 4, 2013
1 parent 82237a9 commit 73f5ae387ac80d87bf3813061df0d9f72c190e3a
Showing with 5 additions and 1 deletion.
  1. +5 −1 cstp.c
6 cstp.c
@@ -310,7 +310,11 @@ static int start_cstp_connection(struct openconnect_info *vpninfo)
return -ENOMEM;

vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);
/* This contains the whole document, including the webvpn cookie. */
if (!strcasecmp(buf, "X-CSTP-Post-Auth-XML"))
vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, _("<elided>"));
vpn_progress(vpninfo, PRG_TRACE, "%s: %s\n", buf, colon);

if (!strncmp(buf, "X-DTLS-", 7)) {
*next_dtls_option = new_option;

0 comments on commit 73f5ae3

Please sign in to comment.