For androguard, @thezero already developed a way to get all the icons after
only extracting the icon name. So this uses that for the aapt-based scans
also, to make them less brittle.
This should fix the problem where `fdroid update` was choosing the XML icon
for apps that include one, like NewPipe.
closesfdroid/fdroid-website#192
This should have less of a change of matching bad things.
thanks to @stf for the report. I ran tests comparing the original vs these
new patterns, and it was a 100% match. So at least it didn't make things
worse.
Here's the test script:
#!/usr/bin/env python3
import os
import re
old_vcsearch_g = re.compile(r'''.*[Vv]ersionCode[ =]+["']*([0-9]+)["']*''').search
old_vnsearch_g = re.compile(r'.*[Vv]ersionName *=* *(["\'])((?:(?=(\\?))\3.)*?)\1.*').search
old_psearch_g = re.compile(r'.*(packageName|applicationId) *=* *["\']([^"]+)["\'].*').search
new_vcsearch_g = re.compile(r'''.*[Vv]ersionCode\s*=?\s*["']*([0-9]+)["']*''').search
new_vnsearch_g = re.compile(r'''.*[Vv]ersionName\s*=?\s*(["'])((?:(?=(\\?))\3.)*?)\1.*''').search
new_psearch_g = re.compile(r'''.*(packageName|applicationId)\s*=*\s*["']([^"']+)["'].*''').search
old = re.compile(r'.*(packageName|applicationId) *=* *["\']([^"]+)["\'].*').search
new = re.compile(r'''.*(packageName|applicationId)\s*=*\s*["']([^"']+)["'].*''').search
for root, dirs, files in os.walk('build'):
for f in files:
if f.endswith('.gradle'):
with open(os.path.join(root, f)) as fp:
for line in fp:
for old, new in ((old_vcsearch_g, new_vcsearch_g),
(old_vnsearch_g, new_vnsearch_g),
(old_psearch_g, new_psearch_g)):
found_old = old(line)
found_new = new(line)
oldresult = None
newresult = None
if found_old or found_new:
if found_old:
oldresult = found_old.groups()
#print('OLD', oldresult)
if found_new:
newresult = found_new.groups()
#print('NEW', newresult)
if oldresult != newresult:
print('--------------------------------')
print(f, oldresult, newresult)
In order to test that aapt defaults minSdkVersion to 3, I ran this script
then compared the output with meld:
cd $ANDROID_HOME/build-tools
for d in *.*; do echo $d; $ANDROID_HOME/build-tools/$d/aapt dump badging /home/hans/code/fdroid/server/tests/repo/com.politedroid_3.apk > /tmp/${d}.txt; done
meld /tmp/17.0.0.txt /tmp/26.0.2.txt /tmp/27.0.3.txt
Apps can now use an XML icon, but if the app supports older Android
versions, it'll also contain PNG versions of the same icon. This finds
those PNGs and uses them instead.
#344closes#392
fdroiddata#913
git-svn will put up the "Reject/Accept" prompt if it encounters a bad HTTPS
certificate. I could find no way to stop it from doing that. So instead,
this checks the HTTPS connection with an HTTP HEAD request first.
Subversion does not verify each commit as strongly as git does, so HTTPS is
really important. Also, there is the possibility of injecting code into
`fdroid checkupdate` calls if plain HTTP is used.
This uses both the env vars and the command line options to ensure
that it works with as many versions of git as possible. Also, git-svn
uses the env vars, but not necessarily the command line options.
This uses /bin/true to pretend that it succesfully got the password.
If password auth is truly required, then it will fail further on down
the line.
Currently f-droid.org has a lot of pending builds and big delays
between "fdroid build --all" runs. Bump overall build time limit from
12 hours to 36 hours to increase buildserver throughput.
We always want to run all utilities non-interactively. By default
subprocess.Popen() inherits stdin descriptor from parent process, i.e.
when fdroid is run from an interactive shell, subprocesses may expect
input from it.
Reading from /dev/null immediately returns EOF, failing any user prompt
and preventing us from hang.
There are all sorts of unfiltered user inputs like tag and branch names in
source repos. If those names are fed into popen calls that use shell=True,
that opens up a wide range of exploits. All core operations should never
use shell=True.
This is a quick and very incomplete addition of '--' to command line calls
to source VCSs like git and hg that could manipulated by malicious
tag/branch names or other vectors.
These were all manually tested by calling the command lines on my own
machine.
This lets `fdroid scanner my.package.name` run without requiring that the
versionCode is also specified. It also allows scanner.scan_source() to be
called as a function in the public API of fdroidserver.
This code has never been used and contains some insecure uses of shell=True
Building Kivy apps should be done with the buildozer=yes method. The
buildozer method should probably be moved to a provisioner once that is in
place.
The currently included Qt has known security issues and is outdated. This
can now be replaced by downloading and installing the Qt installer using
the sudo= build field. @relan's provisioner system will also replace this
once that's done. There are only two apps that currently use the Qt stuff:
* csd.qtproject.minesweeper
* org.openorienteering.mapper
