delete .java.security after checking MD5 signatures

This file is written freshly each time before use, so it does not need
to be ekpt around.  It was the only file making the fdroiddata.git
repo dirty on the f-droid.org infrastructure.

This also adds stricter file permissions to avoid an attacker changing
those settings during operation.

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index ca50ceeaefab40fb114d2f84aa368f4ec8119c1d..68b7e79ee83e8b7f39f6c1ce692f5fa6d6c861cf 100644 (file)
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -2665,12 +2665,20 @@ def verify_old_apk_signature(apk):
     jarsigner passes unsigned APKs as "verified"! So this has to turn
     on -strict then check for result 4.
 
+    Just to be safe, this never reuses the file, and locks down the
+    file permissions while in use.  That should prevent a bad actor
+    from changing the settings during operation.
+
     :returns: boolean whether the APK was verified
+
     """
 
     _java_security = os.path.join(os.getcwd(), '.java.security')
+    if os.path.exists(_java_security):
+        os.remove(_java_security)
     with open(_java_security, 'w') as fp:
         fp.write('jdk.jar.disabledAlgorithms=MD2, RSA keySize < 1024')
+    os.chmod(_java_security, 0o400)
 
     try:
         cmd = [
@@ -2685,6 +2693,10 @@ def verify_old_apk_signature(apk):
         else:
             logging.debug(_('JAR signature verified: {path}').format(path=apk))
             return True
+    finally:
+        if os.path.exists(_java_security):
+            os.chmod(_java_security, 0o600)
+            os.remove(_java_security)
 
     logging.error(_('Old APK signature failed to verify: {path}').format(path=apk)
                   + '\n' + output.decode('utf-8'))