1
0
mirror of https://gitlab.com/fdroid/fdroidserver.git synced 2024-11-20 13:50:12 +01:00

sanitize mirror URLs to prevent path segments from being removed

urllib.parse.urljoin() will strip off the last path segment before joining
if that last path segment does not end with /.  That's a "feature" to make
it easy to replace file names.  Here it was stripping off the essential
'fdroid' segment, making URLs like:

https://foo.com/repo

when they should be

https://foo.com/fdroid/repo
This commit is contained in:
Hans-Christoph Steiner 2016-08-23 16:20:52 +02:00
parent 1c49c3af1d
commit a6a8d34528

View File

@ -895,11 +895,17 @@ def make_index(apps, sortedids, apks, repodir, archive, categories):
repoel = doc.createElement("repo")
mirrorcheckfailed = False
mirrors = []
for mirror in config.get('mirrors', []):
base = os.path.basename(urllib.parse.urlparse(mirror).path.rstrip('/'))
if config.get('nonstandardwebroot') is not True and base != 'fdroid':
logging.error("mirror '" + mirror + "' does not end with 'fdroid'!")
mirrorcheckfailed = True
# must end with / or urljoin strips a whole path segment
if mirror.endswith('/'):
mirrors.append(mirror)
else:
mirrors.append(mirror + '/')
if mirrorcheckfailed:
sys.exit(1)
@ -911,7 +917,7 @@ def make_index(apps, sortedids, apks, repodir, archive, categories):
repoel.setAttribute("url", config['archive_url'])
addElement('description', config['archive_description'], doc, repoel)
urlbasepath = os.path.basename(urllib.parse.urlparse(config['archive_url']).path)
for mirror in config.get('mirrors', []):
for mirror in mirrors:
addElement('mirror', urllib.parse.urljoin(mirror, urlbasepath), doc, repoel)
else:
@ -922,7 +928,7 @@ def make_index(apps, sortedids, apks, repodir, archive, categories):
repoel.setAttribute("url", config['repo_url'])
addElement('description', config['repo_description'], doc, repoel)
urlbasepath = os.path.basename(urllib.parse.urlparse(config['repo_url']).path)
for mirror in config.get('mirrors', []):
for mirror in mirrors:
addElement('mirror', urllib.parse.urljoin(mirror, urlbasepath), doc, repoel)
repoel.setAttribute("version", str(METADATA_VERSION))