From: Hans-Christoph Steiner <hans@eds.org>
Date: Thu, 1 Mar 2018 22:51:36 +0000 (+0100)
Subject: checkupdates: require UpdateCheckData has valid HTTPS URL
X-Git-Tag: 1.0.3~21^2
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=7da0747849c42033de787abbbf6efa282cb838b2;p=fdroidserver.git

checkupdates: require UpdateCheckData has valid HTTPS URL
---

diff --git a/fdroidserver/checkupdates.py b/fdroidserver/checkupdates.py
index 876dd2ae..d919c72b 100644
--- a/fdroidserver/checkupdates.py
+++ b/fdroidserver/checkupdates.py
@@ -30,6 +30,7 @@ import html
 from distutils.version import LooseVersion
 import logging
 import copy
+import urllib.parse
 
 from . import _
 from . import common
@@ -48,6 +49,13 @@ def check_http(app):
             raise FDroidException('Missing Update Check Data')
 
         urlcode, codeex, urlver, verex = app.UpdateCheckData.split('|')
+        parsed = urllib.parse.urlparse(urlcode)
+        if not parsed.netloc or not parsed.scheme or parsed.scheme != 'https':
+            raise FDroidException(_('UpdateCheckData has invalid URL: {url}').format(url=urlcode))
+        if urlver != '.':
+            parsed = urllib.parse.urlparse(urlver)
+            if not parsed.netloc or not parsed.scheme or parsed.scheme != 'https':
+                raise FDroidException(_('UpdateCheckData has invalid URL: {url}').format(url=urlcode))
 
         vercode = "99999999"
         if len(urlcode) > 0: