From 058a36bb6de25dc2e89a26056ee1ca77c58ea38d Mon Sep 17 00:00:00 2001
From: Matej Tyc <matyc@redhat.com>
Date: Mon, 1 Nov 2021 11:30:59 +0100
Subject: [PATCH] Fix bad handling of HTTP error code

Resolves: rhbz#2002733
---
 openscap-1.3.6-http_error_fix-PR_1805.patch | 92 +++++++++++++++++++++
 openscap.spec                               |  6 +-
 2 files changed, 97 insertions(+), 1 deletion(-)
 create mode 100644 openscap-1.3.6-http_error_fix-PR_1805.patch

diff --git a/openscap-1.3.6-http_error_fix-PR_1805.patch b/openscap-1.3.6-http_error_fix-PR_1805.patch
new file mode 100644
index 0000000..148a10b
--- /dev/null
+++ b/openscap-1.3.6-http_error_fix-PR_1805.patch
@@ -0,0 +1,92 @@
+From d2790140325a3d77264937c38d5076899c824dd4 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
+Date: Fri, 10 Sep 2021 10:11:00 +0200
+Subject: [PATCH] Fail download on HTTP errors
+
+When the HTTP server returns status code greater than or equal 400,
+the download will fail.
+
+Resolves: rhbz#2002733
+---
+ src/common/oscap_acquire.c | 20 ++++++++++++++++++--
+ tests/DS/test_ds_misc.sh   | 15 +++++++++++++++
+ 2 files changed, 33 insertions(+), 2 deletions(-)
+
+diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
+index cd9bfc36f6..8f4991751f 100644
+--- a/src/common/oscap_acquire.c
++++ b/src/common/oscap_acquire.c
+@@ -328,6 +328,14 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
+ 
+ 	CURLcode res;
+ 
++	/* CURLOPT_FAILONERROR - request failure on HTTP response >= 400 */
++	res = curl_easy_setopt(curl, CURLOPT_FAILONERROR, true);
++	if (res != 0) {
++		curl_easy_cleanup(curl);
++		oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FAILONERROR: %s", curl_easy_strerror(res));
++		return NULL;
++	}
++
+ 	res = curl_easy_setopt(curl, CURLOPT_URL, url);
+ 	if (res != 0) {
+ 		curl_easy_cleanup(curl);
+@@ -387,14 +395,22 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
+ 	}
+ 
+ 	res = curl_easy_perform(curl);
+-	curl_easy_cleanup(curl);
+ 
+ 	if (res != 0) {
+-		oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));
++		if (res == CURLE_HTTP_RETURNED_ERROR) {
++			long http_code = 0;
++			curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code);
++			oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s: %ld", curl_easy_strerror(res), http_code);
++		} else {
++			oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));
++		}
++		curl_easy_cleanup(curl);
+ 		oscap_buffer_free(buffer);
+ 		return NULL;
+ 	}
+ 
++	curl_easy_cleanup(curl);
++
+ 	*memory_size = oscap_buffer_get_length(buffer);
+ 	char* data = oscap_buffer_bequeath(buffer); // get data and free buffer struct
+ 	return data;
+diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
+index 4d2dfc449a..159007518e 100755
+--- a/tests/DS/test_ds_misc.sh
++++ b/tests/DS/test_ds_misc.sh
+@@ -250,6 +250,19 @@ function test_ds_continue_without_remote_resources() {
+ 	rm -f "$result" "$oval_result"
+ }
+ 
++function test_ds_error_remote_resources() {
++	local DS="${srcdir}/$1"
++	local PROFILE="$2"
++	local result=$(mktemp)
++	local stderr=$(mktemp)
++
++	$OSCAP xccdf eval --fetch-remote-resources --profile "$PROFILE" --results "$result" "$DS" 2>"$stderr" || ret=$?
++	grep -q "Downloading: https://www.example.com/security/data/oval/oval.xml.bz2 ... error" "$stderr"
++	grep -q "OpenSCAP Error: Download failed: HTTP response code said error: 404" "$stderr"
++
++	rm -f "$result" "$stderr"
++}
++
+ function test_source_date_epoch() {
+ 	local xccdf="$srcdir/sds_multiple_oval/multiple-oval-xccdf.xml"
+ 	local result="$(mktemp)"
+@@ -286,7 +299,9 @@ test_run "eval_cpe" test_eval_cpe eval_cpe/sds.xml
+ test_run "test_eval_complex" test_eval_complex
+ test_run "sds_add_multiple_oval_twice_in_row" sds_add_multiple_twice
+ test_run "test_ds_1_2_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res
++test_run "test_ds_1_2_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res
+ test_run "test_ds_1_3_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res
++test_run "test_ds_1_3_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res
+ test_run "test_source_date_epoch" test_source_date_epoch
+ 
+ test_exit
diff --git a/openscap.spec b/openscap.spec
index 105f6ac..53aef95 100644
--- a/openscap.spec
+++ b/openscap.spec
@@ -1,6 +1,6 @@
 Name:           openscap
 Version:        1.3.5
-Release:        8%{?dist}
+Release:        9%{?dist}
 Epoch:          1
 Summary:        Set of open source libraries enabling integration of the SCAP line of standards
 License:        LGPLv2+
@@ -16,6 +16,7 @@ Patch7:         openscap-1.3.6-yamlfile-null-pr-1756.patch
 Patch8:         openscap-1.3.6-coverity-issues-pr-1748.patch
 Patch9:         openscap-1.3.6-coverity-issues-pr-1778.patch
 Patch10:        openscap-1.3.6-disable-sha1-md5-pr-1781.patch
+Patch11:        openscap-1.3.6-http_error_fix-PR_1805.patch
 BuildRequires:  make
 BuildRequires:  cmake >= 2.6
 BuildRequires:  gcc
@@ -206,6 +207,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
 %{_bindir}/oscap-run-sce-script
 
 %changelog
+* Mon Nov 01 2021 Matej Tyc <matyc@redhat.com> - 1:1.3.5-9
+- Fix bad handling of HTTP error code (rhbz#2002733)
+
 * Fri Aug 27 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-8
 - Revert Epoch removal