added test of "Master Key"-style exploit based

This does not seem affected, I made a quick and dirty zip with two index.xml files in it following these instructions: http://www.saurik.com/id/17 refs #39 https://gitlab.com/fdroid/fdroidclient/issues/39
2014-06-11 22:01:06 -04:00 · 2014-06-11 22:01:06 -04:00 · 3fef37a5f4
commit 3fef37a5f4
parent 8af69afba6
2 changed files with 19 additions and 1 deletions
--- a/test/assets/masterKeyIndex.jar
+++ b/test/assets/masterKeyIndex.jar
--- a/test/src/org/fdroid/fdroid/updater/SignedRepoUpdaterTest.java
+++ b/test/src/org/fdroid/fdroid/updater/SignedRepoUpdaterTest.java
@ -12,7 +12,11 @@ import org.fdroid.fdroid.Utils;
 import org.fdroid.fdroid.data.Repo;
 import org.fdroid.fdroid.updater.RepoUpdater.UpdateException;

-import java.io.*;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.OutputStream;

@TargetApi(8)
 public class SignedRepoUpdaterTest extends InstrumentationTestCase {
@ -165,4 +169,18 @@ public class SignedRepoUpdaterTest extends InstrumentationTestCase {
            // success!
        }
    }
+
+    public void testExtractIndexFromMasterKeyIndexJar() {
+        if (!testFilesDir.canWrite())
+            return;
+        // this is supposed to fail
+        try {
+            repoUpdater.getIndexFromFile(getTestFile("masterKeyIndex.jar"));
+            fail();
+        } catch (UpdateException e) {
+            // success!
+        } catch (SecurityException e) {
+            // success!
+        }
+    }
 }