From a6a8d345283c98112a26b9fad67efa0df947ec73 Mon Sep 17 00:00:00 2001 From: Hans-Christoph Steiner Date: Tue, 23 Aug 2016 16:20:52 +0200 Subject: [PATCH] sanitize mirror URLs to prevent path segments from being removed urllib.parse.urljoin() will strip off the last path segment before joining if that last path segment does not end with /. That's a "feature" to make it easy to replace file names. Here it was stripping off the essential 'fdroid' segment, making URLs like: https://foo.com/repo when they should be https://foo.com/fdroid/repo --- fdroidserver/update.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/fdroidserver/update.py b/fdroidserver/update.py index 9f1ad43c..6261a69e 100644 --- a/fdroidserver/update.py +++ b/fdroidserver/update.py @@ -895,11 +895,17 @@ def make_index(apps, sortedids, apks, repodir, archive, categories): repoel = doc.createElement("repo") mirrorcheckfailed = False + mirrors = [] for mirror in config.get('mirrors', []): base = os.path.basename(urllib.parse.urlparse(mirror).path.rstrip('/')) if config.get('nonstandardwebroot') is not True and base != 'fdroid': logging.error("mirror '" + mirror + "' does not end with 'fdroid'!") mirrorcheckfailed = True + # must end with / or urljoin strips a whole path segment + if mirror.endswith('/'): + mirrors.append(mirror) + else: + mirrors.append(mirror + '/') if mirrorcheckfailed: sys.exit(1) @@ -911,7 +917,7 @@ def make_index(apps, sortedids, apks, repodir, archive, categories): repoel.setAttribute("url", config['archive_url']) addElement('description', config['archive_description'], doc, repoel) urlbasepath = os.path.basename(urllib.parse.urlparse(config['archive_url']).path) - for mirror in config.get('mirrors', []): + for mirror in mirrors: addElement('mirror', urllib.parse.urljoin(mirror, urlbasepath), doc, repoel) else: @@ -922,7 +928,7 @@ def make_index(apps, sortedids, apks, repodir, archive, categories): repoel.setAttribute("url", config['repo_url']) addElement('description', config['repo_description'], doc, repoel) urlbasepath = os.path.basename(urllib.parse.urlparse(config['repo_url']).path) - for mirror in config.get('mirrors', []): + for mirror in mirrors: addElement('mirror', urllib.parse.urljoin(mirror, urlbasepath), doc, repoel) repoel.setAttribute("version", str(METADATA_VERSION))