nsscash: guard against unexpected 304

A 304 (status not modified) from the server was always considered a
non-error even if we did not send a If-Modified-Since. This could hide
errors for buggy servers.

diff --git a/file.go b/file.go
index e06a9bce335ccc4e4444e5f8ea9502d27df09eba..5b8fffef41b466d0c32182fb6f71fd7c77a64978 100644 (file)
--- a/file.go
+++ b/file.go
@@ -89,12 +89,17 @@ func fetchFile(file *File, state *State) error {
                t = zero // force download
        }
 
+       oldT := t
        status, body, err := fetchIfModified(file.Url,
                file.Username, file.Password, file.CA, &t)
        if err != nil {
                return err
        }
        if status == http.StatusNotModified {
+               if oldT.IsZero() {
+                       return fmt.Errorf("status code 304 " +
+                               "but did not send If-Modified-Since")
+               }
                log.Printf("%q -> %q: not modified", file.Url, file.Path)
                return nil
        }

diff --git a/main_test.go b/main_test.go
index 31c9e50064f21276776f5e344edc62da53f9aad0..c4afa7929dbf980489cdde2fa487725d6f4917f1 100644 (file)
--- a/main_test.go
+++ b/main_test.go
@@ -198,6 +198,7 @@ func TestMainFetch(t *testing.T) {
                // Perform most tests with passwd for simplicity
                fetchPasswdCacheFileDoesNotExist,
                fetchPasswd404,
+               fetchPasswdUnexpected304,
                fetchPasswdEmpty,
                fetchPasswdInvalid,
                fetchPasswdLimits,
@@ -329,6 +330,24 @@ func fetchPasswd404(a args) {
        mustBeOld(a.t, passwdPath)
 }
 
+func fetchPasswdUnexpected304(a args) {
+       t := a.t
+       mustWritePasswdConfig(t, a.url)
+       mustCreate(t, passwdPath)
+
+       *a.handler = func(w http.ResponseWriter, r *http.Request) {
+               // 304
+               w.WriteHeader(http.StatusNotModified)
+       }
+
+       err := mainFetch(configPath)
+       mustBeErrorWithSubstring(t, err,
+               "status code 304 but did not send If-Modified-Since")
+
+       mustNotExist(t, statePath, plainPath, groupPath)
+       mustBeOld(a.t, passwdPath)
+}
+
 func fetchPasswdEmpty(a args) {
        t := a.t
        mustWritePasswdConfig(t, a.url)