From: Selva Nair Date: Tue, 9 Dec 2025 07:02:11 +0000 (+0100) Subject: pull-filter: improve documentation X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3e03b9a97177f62d31697f2b4b453295ee30e60;p=thirdparty%2Fopenvpn.git pull-filter: improve documentation Pull-filter uses a simple string comparison and could be defeated by unusual formatting of pushed option strings. Document that this option is not meant to be used as a security measure. Reported by: Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a Signed-off-by: Selva Nair Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415 Message-Id: <20251209070218.4467-1-gert@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34930.html Signed-off-by: Gert Doering --- diff --git a/doc/man-sections/client-options.rst b/doc/man-sections/client-options.rst index ca4c8e9fb..b9ae7ce0f 100644 --- a/doc/man-sections/client-options.rst +++ b/doc/man-sections/client-options.rst @@ -345,6 +345,11 @@ configuration. next remote succeeds. To silently ignore an option pushed by the server, use :code:`ignore`. + *Warning:* ``pull-filter`` cannot be relied upon as a security measure to + protect against offending options pushed by a server. For example, the + filter could be defeated by pushing options with extra spaces between + tokens or other formatting variations. + --push-peer-info Push additional information about the client to server. The following data is always pushed to the server: