From 79475d055faa35f47a57d9185d0a4562ee0844ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Daniel=20Mart=C3=AD?= Date: Wed, 30 Sep 2015 16:12:45 -0700 Subject: [PATCH] Fetch string contents in a safer way --- fdroidserver/common.py | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/fdroidserver/common.py b/fdroidserver/common.py index f656ac09..4c3597f2 100644 --- a/fdroidserver/common.py +++ b/fdroidserver/common.py @@ -883,6 +883,8 @@ class vcs_bzr(vcs): def unescape_string(string): + if len(string) < 2: + return string if string[0] == '"' and string[-1] == '"': return string[1:-1] @@ -891,6 +893,9 @@ def unescape_string(string): def retrieve_string(app_dir, string, xmlfiles=None): + if not string.startswith('@string/'): + return unescape_string(string) + if xmlfiles is None: xmlfiles = [] for res_dir in [ @@ -901,18 +906,21 @@ def retrieve_string(app_dir, string, xmlfiles=None): if os.path.basename(r) == 'values': xmlfiles += [os.path.join(r, x) for x in f if x.endswith('.xml')] - if not string.startswith('@string/'): - return unescape_string(string) - name = string[len('@string/'):] + def element_content(element): + if element.text is None: + return "" + return element.text.encode('utf-8') + for path in xmlfiles: if not os.path.isfile(path): continue xml = parse_xml(path) element = xml.find('string[@name="' + name + '"]') - if element is not None and element.text is not None: - return retrieve_string(app_dir, element.text.encode('utf-8'), xmlfiles) + if element is not None: + content = element_content(element) + return retrieve_string(app_dir, content, xmlfiles) return ''