diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index c1a70003..2cde1dc1 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -3224,6 +3224,8 @@ def calculate_math_string(expr):
             raise SyntaxError(node)
 
     try:
+        if '#' in expr:
+            raise SyntaxError('no comments allowed')
         return execute_ast(ast.parse(expr, mode='eval').body)
     except SyntaxError as e:
         raise SyntaxError("could not parse expression '{expr}', "
diff --git a/tests/common.TestCase b/tests/common.TestCase
index f95a0820..e9dcafa7 100755
--- a/tests/common.TestCase
+++ b/tests/common.TestCase
@@ -779,6 +779,19 @@ class CommonTest(unittest.TestCase):
         self.assertEqual(('1.0-free', '1', 'com.kunzisoft.fdroidtest.applicationidsuffix'),
                          fdroidserver.common.parse_androidmanifests(paths, app))
 
+    def test_calculate_math_string(self):
+        self.assertEqual(1234, fdroidserver.common.calculate_math_string('1234'))
+        self.assertEqual(4, fdroidserver.common.calculate_math_string('(1+1)*2'))
+        self.assertEqual(2, fdroidserver.common.calculate_math_string('(1-1)*2+3*1-1'))
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('__import__("urllib")')
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('self')
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('1+1; print(1)')
+        with self.assertRaises(SyntaxError):
+            fdroidserver.common.calculate_math_string('1-1 # no comment')
+
 
 if __name__ == "__main__":
     parser = optparse.OptionParser()