From d2790140325a3d77264937c38d5076899c824dd4 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= <jcerny@redhat.com>

Date: Fri, 10 Sep 2021 10:11:00 +0200

Subject: [PATCH] Fail download on HTTP errors

When the HTTP server returns status code greater than or equal 400,

the download will fail.

Resolves: rhbz#2002733

---

 src/common/oscap_acquire.c | 20 ++++++++++++++++++--

 tests/DS/test_ds_misc.sh   | 15 +++++++++++++++

 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c

index cd9bfc36f6..8f4991751f 100644

--- a/src/common/oscap_acquire.c

+++ b/src/common/oscap_acquire.c

@@ -328,6 +328,14 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)

 	CURLcode res;

+	/* CURLOPT_FAILONERROR - request failure on HTTP response >= 400 */

+	res = curl_easy_setopt(curl, CURLOPT_FAILONERROR, true);

+	if (res != 0) {

+		curl_easy_cleanup(curl);

+		oscap_seterr(OSCAP_EFAMILY_NET, "Failed to set CURLOPT_FAILONERROR: %s", curl_easy_strerror(res));

+		return NULL;

+	}

+

 	res = curl_easy_setopt(curl, CURLOPT_URL, url);

 	if (res != 0) {

 		curl_easy_cleanup(curl);

@@ -387,14 +395,22 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size)

 	}

 	res = curl_easy_perform(curl);

-	curl_easy_cleanup(curl);

 	if (res != 0) {

-		oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));

+		if (res == CURLE_HTTP_RETURNED_ERROR) {

+			long http_code = 0;

+			curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code);

+			oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s: %ld", curl_easy_strerror(res), http_code);

+		} else {

+			oscap_seterr(OSCAP_EFAMILY_NET, "Download failed: %s", curl_easy_strerror(res));

+		}

+		curl_easy_cleanup(curl);

 		oscap_buffer_free(buffer);

 		return NULL;

 	}

+	curl_easy_cleanup(curl);

+

 	*memory_size = oscap_buffer_get_length(buffer);

 	char* data = oscap_buffer_bequeath(buffer); // get data and free buffer struct

 	return data;

diff --git a/tests/DS/test_ds_misc.sh b/tests/DS/test_ds_misc.sh

index 4d2dfc449a..159007518e 100755

--- a/tests/DS/test_ds_misc.sh

+++ b/tests/DS/test_ds_misc.sh

@@ -250,6 +250,19 @@ function test_ds_continue_without_remote_resources() {

 	rm -f "$result" "$oval_result"

 }

+function test_ds_error_remote_resources() {

+	local DS="${srcdir}/$1"

+	local PROFILE="$2"

+	local result=$(mktemp)

+	local stderr=$(mktemp)

+

+	$OSCAP xccdf eval --fetch-remote-resources --profile "$PROFILE" --results "$result" "$DS" 2>"$stderr" || ret=$?

+	grep -q "Downloading: https://www.example.com/security/data/oval/oval.xml.bz2 ... error" "$stderr"

+	grep -q "OpenSCAP Error: Download failed: HTTP response code said error: 404" "$stderr"

+

+	rm -f "$result" "$stderr"

+}

+

 function test_source_date_epoch() {

 	local xccdf="$srcdir/sds_multiple_oval/multiple-oval-xccdf.xml"

 	local result="$(mktemp)"

@@ -286,7 +299,9 @@ test_run "eval_cpe" test_eval_cpe eval_cpe/sds.xml

 test_run "test_eval_complex" test_eval_complex

 test_run "sds_add_multiple_oval_twice_in_row" sds_add_multiple_twice

 test_run "test_ds_1_2_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res

+test_run "test_ds_1_2_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.2.ds.xml xccdf_com.example.www_profile_test_remote_res

 test_run "test_ds_1_3_continue_without_remote_resources" test_ds_continue_without_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res

+test_run "test_ds_1_3_error_remote_resources" test_ds_error_remote_resources ds_continue_without_remote_resources/remote_content_1.3.ds.xml xccdf_com.example.www_profile_test_remote_res

 test_run "test_source_date_epoch" test_source_date_epoch

 test_exit