chiark / gitweb /
~ianmdlvl / fdroidserver.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
VercodeOperation: only allow simple math expresssions and %c
[fdroidserver.git] / fdroidserver / checkupdates.py
diff --git a/fdroidserver/checkupdates.py b/fdroidserver/checkupdates.py
index d919c72b11a8cbba405065651bf9dc68ad332549..0a4f6e27af114bf1d2ad46e3945bc9cfcebd18dd 100644 (file)
--- a/fdroidserver/checkupdates.py
+++ b/fdroidserver/checkupdates.py
@@ -429,6 +429,9 @@ def checkupdates_app(app):
         msg = 'Invalid update check method'
 
     if version and vercode and app.VercodeOperation:
+        if not common.VERCODE_OPERATION_RE.match(app.VercodeOperation):
+            raise MetaDataException(_('Invalid VercodeOperation: {field}')
+                                    .format(field=app.VercodeOperation))
         oldvercode = str(int(vercode))
         op = app.VercodeOperation.replace("%c", oldvercode)
         vercode = str(eval(op))
Unnamed repository; edit this file 'description' to name the repository.