From 7dbf03c435571ca6f8e8e2e16a78173548c0574b Mon Sep 17 00:00:00 2001
From: Hans-Christoph Steiner <hans@eds.org>
Date: Fri, 7 Jul 2017 00:02:39 +0200
Subject: [PATCH] Apk.isMediaInstalled() needs to check using sanitized file
 names

The install process automatically sanitizes filenames to avoid exploits
that put attack code in the filename.  Media files are also installed using
this logic, so the installed check needs to use sanitized file names to be
accurate.
---
 app/src/main/java/org/fdroid/fdroid/data/Apk.java             | 2 +-
 .../test/java/org/fdroid/fdroid/data/SanitizedFileTest.java   | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/app/src/main/java/org/fdroid/fdroid/data/Apk.java b/app/src/main/java/org/fdroid/fdroid/data/Apk.java
index 28c12bf29..0668c8663 100644
--- a/app/src/main/java/org/fdroid/fdroid/data/Apk.java
+++ b/app/src/main/java/org/fdroid/fdroid/data/Apk.java
@@ -516,7 +516,7 @@ public class Apk extends ValueObject implements Comparable<Apk>, Parcelable {
     }
 
     public boolean isMediaInstalled(Context context) {
-        return new File(this.getMediaInstallPath(context), this.apkName).isFile();
+        return new File(this.getMediaInstallPath(context), SanitizedFile.sanitizeFileName(this.apkName)).isFile();
     }
 
     /**
diff --git a/app/src/test/java/org/fdroid/fdroid/data/SanitizedFileTest.java b/app/src/test/java/org/fdroid/fdroid/data/SanitizedFileTest.java
index a1415c425..fc4dca32b 100644
--- a/app/src/test/java/org/fdroid/fdroid/data/SanitizedFileTest.java
+++ b/app/src/test/java/org/fdroid/fdroid/data/SanitizedFileTest.java
@@ -37,11 +37,11 @@ public class SanitizedFileTest {
 
         assertEquals("/tmp/blah/safe", safeSanitized.getAbsolutePath());
         assertEquals("/tmp/blah/safe-and_bleh.boo", nonEvilSanitized.getAbsolutePath());
-        assertEquals("/tmp/blah/rmetcshadow", evilSanitized.getAbsolutePath());
+        assertEquals("/tmp/blah/rm etcshadow", evilSanitized.getAbsolutePath());
 
         assertEquals("safe", safeSanitized.getName());
         assertEquals("safe-and_bleh.boo", nonEvilSanitized.getName());
-        assertEquals("rmetcshadow", evilSanitized.getName());
+        assertEquals("rm etcshadow", evilSanitized.getName());
 
     }