Signed-off-by: Nikos Mavrogiannopoulos <nmav at gnutls.org>
---
http.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/http.c b/http.c
index 5adacaa..c713f27 100644
--- a/http.c
+++ b/http.c
@@ -865,6 +865,7 @@ static int do_https_request(struct openconnect_info *vpninfo, const char *method
struct oc_text_buf *buf;
int result, buflen;
int rq_retry;
+ int rlen, pad;
redirected:
vpninfo->redirect_type = REDIR_TYPE_NONE;
@@ -888,8 +889,15 @@ static int do_https_request(struct openconnect_info *vpninfo, const char *method
add_common_headers(vpninfo, buf);
if (request_body_type) {
+ rlen = strlen(request_body);
+
+ /* force body length to be a multiple of 64, to avoid leaking
+ * password length. */
+ pad = 64*(1+rlen/64) - rlen;
+ buf_append(buf, "X-Pad: %0*d\r\n", pad, 0);
+
buf_append(buf, "Content-Type: %s\r\n", request_body_type);
- buf_append(buf, "Content-Length: %zd\r\n", strlen(request_body));
+ buf_append(buf, "Content-Length: %zd\r\n", rlen);
}
buf_append(buf, "\r\n");
