update: throw exception for APKs with invalid Application ID

Android Application IDs must be valid Java Package Names. While the build tools likely validate the Application ID, it is possible to manually create a malicious APK.
2024-11-19 21:30:10 +01:00 · 2018-09-01 12:19:45 +02:00 · 2018-09-01 12:19:45 +02:00 · 11b3e5be3a
commit 11b3e5be3a
parent 5d161cc9fd
2 changed files with 5 additions and 1 deletions
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@ -1511,7 +1511,7 @@ def parse_androidmanifests(paths, app):
    if max_version is None:
        max_version = "Unknown"

-    if max_package and not is_valid_package_name(max_package):
+    if max_package and not is_valid_java_package_name(max_package):
        raise FDroidException(_("Invalid package name {0}").format(max_package))

    return (max_version, max_vercode, max_package)
--- a/fdroidserver/update.py
+++ b/fdroidserver/update.py
@ -1064,6 +1064,10 @@ def scan_apk(apk_file):
    else:
        scan_apk_aapt(apk, apk_file)

+    if not common.is_valid_java_package_name(apk['packageName']):
+        raise BuildException(_("{appid} from {path} is not a valid Java Package Name!")
+                             .format(appid=apk['packageName'], path=apk_file))
+
    # Get the signature, or rather the signing key fingerprints
    logging.debug('Getting signature of {0}'.format(os.path.basename(apk_file)))
    apk['sig'] = getsig(apk_file)