From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 1 Mar 2018 22:29:38 +0000 (+0100)
Subject: lint: require UpdateCheckData to contain only valid HTTPS URLs
X-Git-Tag: 1.0.3~21^2~1
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=26bfd7fb28163abbf8f599609ce57e2bd10a9eed;p=fdroidserver.git

lint: require UpdateCheckData to contain only valid HTTPS URLs
---

diff --git a/fdroidserver/lint.py b/fdroidserver/lint.py
index e746f269..13779747 100644
--- a/fdroidserver/lint.py
+++ b/fdroidserver/lint.py
@@ -21,6 +21,7 @@ import glob
 import os
 import re
 import sys
+import urllib.parse
 
 from . import _
 from . import common
@@ -207,6 +208,19 @@ def get_lastbuild(builds):
     return lastbuild
 
 
+def check_update_check_data_url(app):
+    """UpdateCheckData must have a valid HTTPS URL to protect checkupdates runs
+    """
+    if app.UpdateCheckData:
+        urlcode, codeex, urlver, verex = app.UpdateCheckData.split('|')
+        for url in (urlcode, urlver):
+            parsed = urllib.parse.urlparse(url)
+            if not parsed.scheme or not parsed.netloc:
+                yield _('UpdateCheckData not a valid URL: {url}').format(url=url)
+            if parsed.scheme != 'https':
+                yield _('UpdateCheckData must use HTTPS URL: {url}').format(url=url)
+
+
 def check_ucm_tags(app):
     lastbuild = get_lastbuild(app.builds)
     if (lastbuild is not None
@@ -513,6 +527,7 @@ def main():
 
         app_check_funcs = [
             check_regexes,
+            check_update_check_data_url,
             check_ucm_tags,
             check_char_limits,
             check_old_links,