From: Selva Nair <[email protected]> Pull-filter uses a simple string comparison and could be defeated by unusual formatting of pushed option strings. Document that this option is not meant to be used as a security measure.
Reported by: <[email protected]> Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a Signed-off-by: Selva Nair <[email protected]> Acked-by: Gert Doering <[email protected]> Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering <[email protected]> diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index e8523d9..17f0a6a 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -345,6 +345,14 @@ next remote succeeds. To silently ignore an option pushed by the server, use :code:`ignore`. + *Warning:* ``pull-filter`` cannot be relied upon as a security measure to + protect against offending options pushed by a server. For example, the + filter could be defeated by pushing options with extra spaces between + tokens or other formatting variations. In such situations, an "allow-list" + approach using specific ``pull-filter accept`` directives followed by a + generic ``pull-filter ignore`` should be preferred over a "deny-list" + approach. This improves robustness but does not guarantee security. + --push-peer-info Push additional information about the client to server. The following data is always pushed to the server: _______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
