pledge stdio before parsing the http response

ok tb@

1 files changed, 11 insertions, 9 deletions

diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index 65342fa13c..5124d588b3 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocspcheck.c,v 1.16 2017/02/20 23:55:22 beck Exp $ */
+/* $OpenBSD: ocspcheck.c,v 1.17 2017/02/25 23:48:08 beck Exp $ */
 /*
  * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
  *
@@ -589,6 +589,16 @@ main(int argc, char **argv)
             request->data, request->size);
         if (hget == NULL)
                 errx(1, "http_get");
+
+        /*
+         * Pledge minimally before fiddling with libcrypto init
+         * routines and parsing untrusted input from someone's OCSP
+         * server.
+         */
+
+        if (pledge("stdio", NULL) == -1)
+                err(1, "pledge");
+
         httph = http_head_parse(hget->http, hget->xfer, &httphsz);
         dspew("Server at %s returns:\n", host);
         for (i = 0; i < httphsz; i++)
@@ -598,14 +608,6 @@ main(int argc, char **argv)
                 errx(1, "No body in reply from %s", host);
 
         /*
-         * Pledge minimally before fiddling with libcrypto init routines
-         * and untrusted input from someone's OCSP server.
-         */
-
-        if (pledge("stdio", NULL) == -1)
-                err(1, "pledge");
-
-        /*
          * Validate the OCSP response we got back
          */
         OPENSSL_add_all_algorithms_noconf();