VercodeOperation: only allow simple math expresssions and %c

2025-09-14 15:02:51 +03:00 · 2018-03-02 12:50:48 +01:00 · 2018-03-02 12:50:48 +01:00 · 8f30c892c5
commit 8f30c892c5
parent 6876e28bb4
4 changed files with 58 additions and 0 deletions
--- a/fdroidserver/checkupdates.py
+++ b/fdroidserver/checkupdates.py
@ -429,6 +429,9 @@ def checkupdates_app(app):
        msg = 'Invalid update check method'

    if version and vercode and app.VercodeOperation:
+        if not common.VERCODE_OPERATION_RE.match(app.VercodeOperation):
+            raise MetaDataException(_('Invalid VercodeOperation: {field}')
+                                    .format(field=app.VercodeOperation))
        oldvercode = str(int(vercode))
        op = app.VercodeOperation.replace("%c", oldvercode)
        vercode = str(eval(op))