From: Daniel Martí <mvdan@mvdan.cc>
Date: Wed, 30 Sep 2015 23:12:45 +0000 (-0700)
Subject: Fetch string contents in a safer way
X-Git-Tag: 0.5.0~69
X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=79475d055faa35f47a57d9185d0a4562ee0844ef;p=fdroidserver.git

Fetch string contents in a safer way
---

diff --git a/fdroidserver/common.py b/fdroidserver/common.py
index f656ac09..4c3597f2 100644
--- a/fdroidserver/common.py
+++ b/fdroidserver/common.py
@@ -883,6 +883,8 @@ class vcs_bzr(vcs):
 
 
 def unescape_string(string):
+    if len(string) < 2:
+        return string
     if string[0] == '"' and string[-1] == '"':
         return string[1:-1]
 
@@ -891,6 +893,9 @@ def unescape_string(string):
 
 def retrieve_string(app_dir, string, xmlfiles=None):
 
+    if not string.startswith('@string/'):
+        return unescape_string(string)
+
     if xmlfiles is None:
         xmlfiles = []
         for res_dir in [
@@ -901,18 +906,21 @@ def retrieve_string(app_dir, string, xmlfiles=None):
                 if os.path.basename(r) == 'values':
                     xmlfiles += [os.path.join(r, x) for x in f if x.endswith('.xml')]
 
-    if not string.startswith('@string/'):
-        return unescape_string(string)
-
     name = string[len('@string/'):]
 
+    def element_content(element):
+        if element.text is None:
+            return ""
+        return element.text.encode('utf-8')
+
     for path in xmlfiles:
         if not os.path.isfile(path):
             continue
         xml = parse_xml(path)
         element = xml.find('string[@name="' + name + '"]')
-        if element is not None and element.text is not None:
-            return retrieve_string(app_dir, element.text.encode('utf-8'), xmlfiles)
+        if element is not None:
+            content = element_content(element)
+            return retrieve_string(app_dir, content, xmlfiles)
 
     return ''