From db26104de158fb91ce76d9dda8cc7673ca0c9551 Mon Sep 17 00:00:00 2001
From: beck <>
Date: Sat, 25 Feb 2017 23:48:08 +0000
Subject: pledge stdio before parsing the http response ok tb@

---
 src/usr.sbin/ocspcheck/ocspcheck.c | 20 +++++++++++---------
 1 file changed, 11 insertions(+), 9 deletions(-)

(limited to 'src')

diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index 65342fa13c..5124d588b3 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocspcheck.c,v 1.16 2017/02/20 23:55:22 beck Exp $ */
+/* $OpenBSD: ocspcheck.c,v 1.17 2017/02/25 23:48:08 beck Exp $ */
 /*
  * Copyright (c) 2017 Bob Beck <beck@openbsd.org>
  *
@@ -589,6 +589,16 @@ main(int argc, char **argv)
 	    request->data, request->size);
 	if (hget == NULL)
 		errx(1, "http_get");
+
+	/*
+	 * Pledge minimally before fiddling with libcrypto init
+	 * routines and parsing untrusted input from someone's OCSP
+	 * server.
+	 */
+
+	if (pledge("stdio", NULL) == -1)
+		err(1, "pledge");
+
 	httph = http_head_parse(hget->http, hget->xfer, &httphsz);
 	dspew("Server at %s returns:\n", host);
 	for (i = 0; i < httphsz; i++)
@@ -597,14 +607,6 @@ main(int argc, char **argv)
 	if (hget->bodypartsz <= 0)
 		errx(1, "No body in reply from %s", host);
 
-	/*
-	 * Pledge minimally before fiddling with libcrypto init routines
-	 * and untrusted input from someone's OCSP server.
-	 */
-
-	if (pledge("stdio", NULL) == -1)
-		err(1, "pledge");
-
 	/*
 	 * Validate the OCSP response we got back
 	 */
-- 
cgit v1.2.3-55-g6feb