From 5d161cc9fd3c5b2a00252cb6d28d7e0e8e2bdc85 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Sat, 1 Sep 2018 12:08:37 +0200 Subject: [PATCH] validate appid when reading metadata files The metadata file must be named after the Application ID of the app it is describing, and Android Application IDs must be valid Java Package Names. --- fdroidserver/common.py | 14 +++++++++++++- fdroidserver/metadata.py | 3 +++ tests/common.TestCase | 18 ++++++++++++++++-- 3 files changed, 32 insertions(+), 3 deletions(-) diff --git a/fdroidserver/common.py b/fdroidserver/common.py index 55cb2b65..acccf63a 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -1518,7 +1518,19 @@ def parse_androidmanifests(paths, app): def is_valid_package_name(name): - return re.match("[A-Za-z_][A-Za-z_0-9.]+$", name) + """Check whether name is a valid fdroid package name + + APKs and manually defined package names must use a valid Java + Package Name. Automatically generated package names for non-APK + files use the SHA-256 sum. + + """ + return re.match("^([a-f0-9]+|[A-Za-z_][A-Za-z_0-9.]+)$", name) + + +def is_valid_java_package_name(name): + """Check whether name is a valid Java package name aka Application ID""" + return re.match("^[A-Za-z_][A-Za-z_0-9.]+$", name) def getsrclib(spec, srclib_dir, subdir=None, basepath=False, diff --git a/fdroidserver/metadata.py b/fdroidserver/metadata.py index 02e7bc3d..273ecb80 100644 --- a/fdroidserver/metadata.py +++ b/fdroidserver/metadata.py @@ -805,6 +805,9 @@ def read_metadata(xref=True, check_vcs=[], refresh=True, sort_by_time=False): if metadatapath == '.fdroid.txt': warn_or_exception(_('.fdroid.txt is not supported! Convert to .fdroid.yml or .fdroid.json.')) appid, _ignored = fdroidserver.common.get_extension(os.path.basename(metadatapath)) + if appid != '.fdroid' and not fdroidserver.common.is_valid_package_name(appid): + warn_or_exception(_("{appid} from {path} is not a valid Java Package Name!") + .format(appid=appid, path=metadatapath)) if appid in apps: warn_or_exception(_("Found multiple metadata files for {appid}") .format(appid=appid)) diff --git a/tests/common.TestCase b/tests/common.TestCase index 1c75a411..ef614a56 100755 --- a/tests/common.TestCase +++ b/tests/common.TestCase @@ -158,9 +158,10 @@ class CommonTest(unittest.TestCase): self.assertFalse(debuggable, "debuggable APK state was not properly parsed!") - def testPackageNameValidity(self): + def test_is_valid_package_name(self): for name in ["org.fdroid.fdroid", - "org.f_droid.fdr0ID"]: + "org.f_droid.fdr0ID", + "05041684efd9b16c2888b1eddbadd0359f655f311b89bdd1737f560a10d20fb8"]: self.assertTrue(fdroidserver.common.is_valid_package_name(name), "{0} should be a valid package name".format(name)) for name in ["0rg.fdroid.fdroid", @@ -170,6 +171,19 @@ class CommonTest(unittest.TestCase): self.assertFalse(fdroidserver.common.is_valid_package_name(name), "{0} should not be a valid package name".format(name)) + def test_is_valid_java_package_name(self): + for name in ["org.fdroid.fdroid", + "org.f_droid.fdr0ID"]: + self.assertTrue(fdroidserver.common.is_valid_java_package_name(name), + "{0} should be a valid package name".format(name)) + for name in ["0rg.fdroid.fdroid", + ".f_droid.fdr0ID", + "org.fdroid/fdroid", + "/org.fdroid.fdroid", + "05041684efd9b16c2888b1eddbadd0359f655f311b89bdd1737f560a10d20fb8"]: + self.assertFalse(fdroidserver.common.is_valid_java_package_name(name), + "{0} should not be a valid package name".format(name)) + def test_prepare_sources(self): testint = 99999999 teststr = 'FAKE_STR_FOR_TESTING'