From cd22eceb68d25652bd124850d0f50812228e723d Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Wed, 29 Aug 2018 16:07:02 +0200
Subject: [PATCH] replace unneeded eval() call and support negative
 versionCodes

---
 fdroidserver/common.py | 10 +++++++---
 tests/common.TestCase  | 19 ++++++++++++++++---
 2 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index 45da7ffc..11d25d92 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -3190,8 +3190,12 @@ def get_git_describe_link():
 
 
 def calculate_math_string(expr):
-    ops = {ast.Add: operator.add, ast.Sub: operator.sub,
-           ast.Mult: operator.mul}
+    ops = {
+        ast.Add: operator.add,
+        ast.Mult: operator.mul,
+        ast.Sub: operator.sub,
+        ast.USub: operator.neg,
+    }
 
     def execute_ast(node):
         if isinstance(node, ast.Num):  # <number>
@@ -3200,7 +3204,7 @@ def calculate_math_string(expr):
             return ops[type(node.op)](execute_ast(node.left),
                                       execute_ast(node.right))
         elif isinstance(node, ast.UnaryOp):  # <operator> <operand> e.g., -1
-            return ops[type(node.op)](eval(node.operand))
+            return ops[type(node.op)](ast.literal_eval(node.operand))
         else:
             raise SyntaxError(node)
 
diff --git a/tests/common.TestCase b/tests/common.TestCase
index 68b288ec..d959d4b7 100755
--- a/tests/common.TestCase
+++ b/tests/common.TestCase
@@ -780,13 +780,26 @@ class CommonTest(unittest.TestCase):
                          fdroidserver.common.parse_androidmanifests(paths, app))
 
     def test_calculate_math_string(self):
-        self.assertEqual(1234, fdroidserver.common.calculate_math_string('1234'))
-        self.assertEqual(4, fdroidserver.common.calculate_math_string('(1+1)*2'))
-        self.assertEqual(2, fdroidserver.common.calculate_math_string('(1-1)*2+3*1-1'))
+        self.assertEqual(1234,
+                         fdroidserver.common.calculate_math_string('1234'))
+        self.assertEqual((1 + 1) * 2,
+                         fdroidserver.common.calculate_math_string('(1 + 1) * 2'))
+        self.assertEqual((1 - 1) * 2 + 3 * 1 - 1,
+                         fdroidserver.common.calculate_math_string('(1 - 1) * 2 + 3 * 1 - 1'))
+        self.assertEqual(0 - 12345,
+                         fdroidserver.common.calculate_math_string('0 - 12345'))
+        self.assertEqual(0xffff,
+                         fdroidserver.common.calculate_math_string('0xffff'))
+        self.assertEqual(0xcafe * 123,
+                         fdroidserver.common.calculate_math_string('0xcafe * 123'))
+        self.assertEqual(-1,
+                         fdroidserver.common.calculate_math_string('-1'))
         with self.assertRaises(SyntaxError):
             fdroidserver.common.calculate_math_string('__import__("urllib")')
         with self.assertRaises(SyntaxError):
             fdroidserver.common.calculate_math_string('self')
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('Ox9()')
         with self.assertRaises(SyntaxError):
             fdroidserver.common.calculate_math_string('1+1; print(1)')
         with self.assertRaises(SyntaxError):