1 files changed, 33 insertions, 10 deletions
diff --git a/plugins/check_curl.c b/plugins/check_curl.c
index e7737c7c..95e45282 100644
--- a/plugins/check_curl.c
+++ b/plugins/check_curl.c
@@ -120,6 +120,14 @@ mp_state_enum np_net_ssl_check_certificate(X509 *certificate, int days_till_exp_
 #endif /* defined(HAVE_SSL) && defined(USE_OPENSSL) */
 int main(int argc, char **argv) {
+#ifdef __OpenBSD__
+        /* - rpath is required to read --extra-opts, CA and/or client certs
+         * - wpath is required to write --cookie-jar (possibly given up later)
+         * - inet is required for sockets
+         * - dns is required for name lookups */
+        pledge("stdio rpath wpath inet dns", NULL);
+#endif // __OpenBSD__
        setlocale(LC_ALL, "");
        bindtextdomain(PACKAGE, LOCALEDIR);
        textdomain(PACKAGE);
@@ -135,6 +143,15 @@ int main(int argc, char **argv) {
        const check_curl_config config = tmp_config.config;
+#ifdef __OpenBSD__
+        if (!config.curl_config.cookie_jar_file) {
+                if (verbose >= 2) {
+                        printf(_("* No \"--cookie-jar\" is used, giving up \"wpath\" pledge(2)\n"));
+                }
+                pledge("stdio rpath inet dns", NULL);
+        }
+#endif // __OpenBSD__
        if (config.output_format_is_set) {
                mp_set_format(config.output_format);
        }
@@ -775,19 +792,23 @@ redir_wrapper redir(curlhelp_write_curlbuf *header_buf, const check_curl_config
        /* missing components have null,null in their UriTextRangeA
         * add query parameters if they exist.
         */
-        if (uri.query.first && uri.query.afterLast){
+        if (uri.query.first && uri.query.afterLast) {
-                // Ensure we have space for '?' + query_str + '\0' ahead of time, instead of calling strncat twice
+                // Ensure we have space for '?' + query_str + '\0' ahead of time, instead of calling strncat
+                // twice
                size_t current_len = strlen(new_url);
                size_t remaining_space = DEFAULT_BUFFER_SIZE - current_len - 1;
-                const char* query_str = uri_string(uri.query, buf, DEFAULT_BUFFER_SIZE);
+                const char *query_str = uri_string(uri.query, buf, DEFAULT_BUFFER_SIZE);
                size_t query_str_len = strlen(query_str);
                if (remaining_space >= query_str_len + 1) {
                        strcat(new_url, "?");
                        strcat(new_url, query_str);
-                }else{
+                } else {
-                        die(STATE_UNKNOWN, _("HTTP UNKNOWN - No space to add query part of size %d to the buffer, buffer has remaining size %d"), query_str_len , current_len );
+                        die(STATE_UNKNOWN,
+                                _("HTTP UNKNOWN - No space to add query part of size %zu to the buffer, buffer has "
+                                  "remaining size %zu"),
+                                query_str_len, current_len);
                }
        }
@@ -1244,7 +1265,7 @@ check_curl_config_wrapper process_arguments(int argc, char **argv) {
                        result.config.curl_config.sin_family = AF_INET;
                        break;
                case '6':
-#if defined(USE_IPV6) && defined(LIBCURL_FEATURE_IPV6)
+#if defined(LIBCURL_FEATURE_IPV6)
                        result.config.curl_config.sin_family = AF_INET6;
 #else
                        usage4(_("IPv6 support not available"));
@@ -1501,8 +1522,8 @@ void print_help(void) {
        printf(" %s\n", "-I, --IP-address=ADDRESS");
        printf("    %s\n",
                   "IP address or name (use numeric address if possible to bypass DNS lookup).");
-        printf("    %s\n",
+        printf("    %s\n", "This overwrites the network address of the target while leaving everything "
-                     "This overwrites the network address of the target while leaving everything else (HTTP headers) as they are");
+                                           "else (HTTP headers) as they are");
        printf(" %s\n", "-p, --port=INTEGER");
        printf("    %s", _("Port number (default: "));
        printf("%d)\n", HTTP_PORT);
@@ -1566,7 +1587,8 @@ void print_help(void) {
        printf("    %s\n", _("String to expect in the content"));
        printf(" %s\n", "-u, --url=PATH");
        printf("    %s\n", _("URL to GET or POST (default: /)"));
-        printf("    %s\n", _("This is the part after the address in a URL, so for \"https://example.com/index.html\" it would be '-u /index.html'"));
+        printf("    %s\n", _("This is the part after the address in a URL, so for "
+                                                 "\"https://example.com/index.html\" it would be '-u /index.html'"));
        printf(" %s\n", "-P, --post=STRING");
        printf("    %s\n", _("URL decoded http POST data"));
        printf(" %s\n",
@@ -1712,7 +1734,8 @@ void print_help(void) {
        printf(" %s\n", _("It is recommended to use an environment proxy like:"));
        printf(" %s\n",
                   _("https_proxy=http://192.168.100.35:3128 ./check_curl -H www.verisign.com -S"));
-        printf(" %s\n", _("legacy proxy requests in check_http style might still work, but are frowned upon, so DONT:"));
+        printf(" %s\n", _("legacy proxy requests in check_http style might still work, but are frowned "
+                                          "upon, so DONT:"));
        printf(" %s\n", _("check_curl -I 192.168.100.35 -p 3128 -u https://www.verisign.com/ -S -j "
                                          "CONNECT -H www.verisign.com "));
        printf(" %s\n", _("all these options are needed: -I <proxy> -p <proxy-port> -u <check-url> "