rpms/openscap
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix bad handling of HTTP error code

Browse Source 
Resolves: rhbz#2002733
This commit is contained in:
Matej Tyc 2021-11-01 11:30:59 +01:00
parent 2e6b0b2576
commit 058a36bb6d
2 changed files with 97 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

92
openscap-1.3.6-http_error_fix-PR_1805.patch Normal file
View File

@ -0,0 +1,92 @@
From d2790140325a3d77264937c38d5076899c824dd4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>
Date: Fri, 10 Sep 2021 10:11:00 +0200
Subject: [PATCH] Fail download on HTTP errors
When the HTTP server returns status code greater than or equal 400,
the download will fail.
Resolves: rhbz#2002733
---
src/common/oscap_acquire.c | 20 ++++++++++++++++++--
tests/DS/test_ds_misc.sh | 15 +++++++++++++++
2 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c
index cd9bfc36f6..8f4991751f 100644
--- a/src/common/oscap_acquire.c
+++ b/src/common/oscap_acquire.c
@@ -328,6 +328,14 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
CURLcode res;
+ /* CURLOPT_FAILONERROR - request failure on HTTP response >= 400 */
+ res = curl_easy_setopt(curl, CURLOPT_FAILONERROR, true);
+ if (res != 0) {
+ curl_easy_cleanup(curl);
+ oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FAILONERROR: %s", curl_easy_strerror(res));
+ return NULL;
+ }
+
res = curl_easy_setopt(curl, CURLOPT_URL, url);
if (res != 0) {
curl_easy_cleanup(curl);
@@ -387,14 +395,22 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)
}
res = curl_easy_perform(curl);
- curl_easy_cleanup(curl);
if (res != 0) {
- oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));
+ if (res == CURLE_HTTP_RETURNED_ERROR) {
+ long http_code = 0;
+ curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code);
+ oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s: %ld", curl_easy_strerror(res), http_code);
+ } else {
+ oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));
+ }
+ curl_easy_cleanup(curl);
oscap_buffer_free(buffer);
return NULL;
}
+ curl_easy_cleanup(curl);
+
*memory_size = oscap_buffer_get_length(buffer);
char* data = oscap_buffer_bequeath(buffer); // get data and free buffer struct
return data;
diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh
index 4d2dfc449a..159007518e 100755
--- a/tests/DS/test_ds_misc.sh
+++ b/tests/DS/test_ds_misc.sh
@@ -250,6 +250,19 @@ function test_ds_continue_without_remote_resources() {
rm -f "$result" "$oval_result"
}
+function test_ds_error_remote_resources() {
+ local DS="${srcdir}/$1"
+ local PROFILE="$2"
+ local result=$(mktemp)
+ local stderr=$(mktemp)
+
+ $OSCAP xccdf eval --fetch-remote-resources --profile "$PROFILE" --results "$result" "$DS" 2>"$stderr" || ret=$?
+ grep -q "Downloading: https://www.example.com/security/data/oval/oval.xml.bz2 ... error" "$stderr"
+ grep -q "OpenSCAP Error: Download failed: HTTP response code said error: 404" "$stderr"
+
+ rm -f "$result" "$stderr"
+}
+
function test_source_date_epoch() {
local xccdf="$srcdir/sds_multiple_oval/multiple-oval-xccdf.xml"
local result="$(mktemp)"
@@ -286,7 +299,9 @@ test_run "eval_cpe" test_eval_cpe eval_cpe/sds.xml
test_run "test_eval_complex" test_eval_complex
test_run "sds_add_multiple_oval_twice_in_row" sds_add_multiple_twice
test_run "test_ds_1_2_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res
+test_run "test_ds_1_2_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res
test_run "test_ds_1_3_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res
+test_run "test_ds_1_3_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res
test_run "test_source_date_epoch" test_source_date_epoch
test_exit

6
openscap.spec
View File

@ -1,6 +1,6 @@
Name: openscap Name: openscap
Version: 1.3.5 Version: 1.3.5
Release: 8%{?dist} Release: 9%{?dist}
Epoch: 1 Epoch: 1
Summary: Set of open source libraries enabling integration of the SCAP line of standards Summary: Set of open source libraries enabling integration of the SCAP line of standards
License: LGPLv2+ License: LGPLv2+
@ -16,6 +16,7 @@ Patch7: openscap-1.3.6-yamlfile-null-pr-1756.patch
Patch8: openscap-1.3.6-coverity-issues-pr-1748.patch Patch8: openscap-1.3.6-coverity-issues-pr-1748.patch
Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch Patch9: openscap-1.3.6-coverity-issues-pr-1778.patch
Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch Patch10: openscap-1.3.6-disable-sha1-md5-pr-1781.patch
Patch11: openscap-1.3.6-http_error_fix-PR_1805.patch
BuildRequires: make BuildRequires: make
BuildRequires: cmake >= 2.6 BuildRequires: cmake >= 2.6
BuildRequires: gcc BuildRequires: gcc
@ -206,6 +207,9 @@ pathfix.py -i %{__python3} -p -n $RPM_BUILD_ROOT%{_bindir}/scap-as-rpm
%{_bindir}/oscap-run-sce-script %{_bindir}/oscap-run-sce-script
%changelog %changelog
* Mon Nov 01 2021 Matej Tyc <matyc@redhat.com> - 1:1.3.5-9
- Fix bad handling of HTTP error code (rhbz#2002733)
* Fri Aug 27 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-8 * Fri Aug 27 2021 Jan Černý <jcerny@redhat.com> - 1:1.3.5-8
- Revert Epoch removal - Revert Epoch removal