Skip to content

1.4.5

Latest

Choose a tag to compare

@Dim145 Dim145 released this 05 Jul 01:20

Patch release — fixes staged APK uploads.

Problem: uploading an APK through the web UI (or creating an app from a staged APK) failed with 400 "Invalid APK: APK basename must be a tempfile-style filename". The inspect step returned 200, but redeeming the staging token (upload-staged) always 400'd.

Cause: the path-injection allowlist in parse_apk only permitted [A-Za-z0-9_], but _materialise_staged_apk names its temp file with a fdroid-staged- prefix. The hyphens were rejected, so every staged redemption failed. Direct uploads slipped through only because they use the default tmp prefix.

Fix: the allowlist now also accepts -. This stays traversal-safe — . and / remain excluded and the barrier still reconstructs the path from a constant temp-dir prefix + the validated basename, so the CodeQL py/path-injection guarantee is intact. Added backend/tests/test_apk_parser_basename.py (staged name accepted, tmp name accepted, traversal/dot/space/wrong-suffix names rejected).

Images (backend / worker / frontend) are published to GHCR by CI for this release — pull :1.4.5 and redeploy the backend (the fix is backend-only; frontend/worker bumps are just the version). Reminder: the worker service must use the *-worker image.