pull-filter: improve documentation

Pull-filter uses a simple string comparison and could be defeated by
unusual formatting of pushed option strings. Document that this
option is not meant to be used as a security measure.

Reported by: <[email protected]>

Change-Id: I2c8d40038e52fbdff1c56f93db1e6a2f9255c59a
Signed-off-by: Selva Nair <[email protected]>
Acked-by: Gert Doering <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1415
Message-Id: <[email protected]>
URL: https://www.mail-archive.com/[email protected]/msg34930.html
Signed-off-by: Gert Doering <[email protected]>
(cherry picked from commit d3e03b9)

Author: selvanair

doc/man-sections/client-options.rst

@@ -340,6 +340,11 @@ configuration.
   next remote succeeds. To silently ignore an option pushed by the server,
   use :code:`ignore`.
 
+  *Warning:* ``pull-filter`` cannot be relied upon as a security measure to
+  protect against offending options pushed by a server. For example, the
+  filter could be defeated by pushing options with extra spaces between
+  tokens or other formatting variations.
+
 --push-peer-info
   Push additional information about the client to server. The following
   data is always pushed to the server: