From 11b3e5be3a30ced6377eb76ff455697445a33db0 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Sat, 1 Sep 2018 12:19:45 +0200 Subject: [PATCH] update: throw exception for APKs with invalid Application ID Android Application IDs must be valid Java Package Names. While the build tools likely validate the Application ID, it is possible to manually create a malicious APK. --- fdroidserver/common.py | 2 +- fdroidserver/update.py | 4 ++++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/fdroidserver/common.py b/fdroidserver/common.py index acccf63a..b07f080d 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -1511,7 +1511,7 @@ def parse_androidmanifests(paths, app): if max_version is None: max_version = "Unknown" - if max_package and not is_valid_package_name(max_package): + if max_package and not is_valid_java_package_name(max_package): raise FDroidException(_("Invalid package name {0}").format(max_package)) return (max_version, max_vercode, max_package) diff --git a/fdroidserver/update.py b/fdroidserver/update.py index a760a078..635f48ee 100644 --- a/fdroidserver/update.py +++ b/fdroidserver/update.py @@ -1064,6 +1064,10 @@ def scan_apk(apk_file): else: scan_apk_aapt(apk, apk_file) + if not common.is_valid_java_package_name(apk['packageName']): + raise BuildException(_("{appid} from {path} is not a valid Java Package Name!") + .format(appid=apk['packageName'], path=apk_file)) + # Get the signature, or rather the signing key fingerprints logging.debug('Getting signature of {0}'.format(os.path.basename(apk_file))) apk['sig'] = getsig(apk_file)