1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/browser/sandboxed_unpacker.h"
9 #include "base/base64.h"
10 #include "base/bind.h"
11 #include "base/command_line.h"
12 #include "base/files/file_util.h"
13 #include "base/files/file_util_proxy.h"
14 #include "base/files/scoped_file.h"
15 #include "base/json/json_string_value_serializer.h"
16 #include "base/message_loop/message_loop.h"
17 #include "base/metrics/histogram.h"
18 #include "base/numerics/safe_conversions.h"
19 #include "base/path_service.h"
20 #include "base/sequenced_task_runner.h"
21 #include "base/strings/string_number_conversions.h"
22 #include "base/strings/utf_string_conversions.h"
23 #include "base/threading/sequenced_worker_pool.h"
24 #include "components/crx_file/constants.h"
25 #include "components/crx_file/crx_file.h"
26 #include "components/crx_file/id_util.h"
27 #include "content/public/browser/browser_thread.h"
28 #include "content/public/browser/utility_process_host.h"
29 #include "content/public/common/common_param_traits.h"
30 #include "crypto/secure_hash.h"
31 #include "crypto/sha2.h"
32 #include "crypto/signature_verifier.h"
33 #include "extensions/common/constants.h"
34 #include "extensions/common/extension.h"
35 #include "extensions/common/extension_l10n_util.h"
36 #include "extensions/common/extension_utility_messages.h"
37 #include "extensions/common/extensions_client.h"
38 #include "extensions/common/file_util.h"
39 #include "extensions/common/manifest_constants.h"
40 #include "extensions/common/manifest_handlers/icons_handler.h"
41 #include "extensions/common/switches.h"
42 #include "grit/extensions_strings.h"
43 #include "third_party/skia/include/core/SkBitmap.h"
44 #include "ui/base/l10n/l10n_util.h"
45 #include "ui/gfx/codec/png_codec.h"
47 using base::ASCIIToUTF16
;
48 using content::BrowserThread
;
49 using content::UtilityProcessHost
;
50 using crx_file::CrxFile
;
52 // The following macro makes histograms that record the length of paths
53 // in this file much easier to read.
54 // Windows has a short max path length. If the path length to a
55 // file being unpacked from a CRX exceeds the max length, we might
56 // fail to install. To see if this is happening, see how long the
57 // path to the temp unpack directory is. See crbug.com/69693 .
58 #define PATH_LENGTH_HISTOGRAM(name, path) \
59 UMA_HISTOGRAM_CUSTOM_COUNTS(name, path.value().length(), 0, 500, 100)
61 // Record a rate (kB per second) at which extensions are unpacked.
62 // Range from 1kB/s to 100mB/s.
63 #define UNPACK_RATE_HISTOGRAM(name, rate) \
64 UMA_HISTOGRAM_CUSTOM_COUNTS(name, rate, 1, 100000, 100);
66 namespace extensions
{
69 void RecordSuccessfulUnpackTimeHistograms(const base::FilePath
& crx_path
,
70 const base::TimeDelta unpack_time
) {
71 const int64 kBytesPerKb
= 1024;
72 const int64 kBytesPerMb
= 1024 * 1024;
74 UMA_HISTOGRAM_TIMES("Extensions.SandboxUnpackSuccessTime", unpack_time
);
76 // To get a sense of how CRX size impacts unpack time, record unpack
77 // time for several increments of CRX size.
79 if (!base::GetFileSize(crx_path
, &crx_file_size
)) {
80 UMA_HISTOGRAM_COUNTS("Extensions.SandboxUnpackSuccessCantGetCrxSize", 1);
84 // Cast is safe as long as the number of bytes in the CRX is less than
86 int crx_file_size_kb
= static_cast<int>(crx_file_size
/ kBytesPerKb
);
87 UMA_HISTOGRAM_COUNTS("Extensions.SandboxUnpackSuccessCrxSize",
90 // We have time in seconds and file size in bytes. We want the rate bytes are
93 static_cast<double>(crx_file_size
) / static_cast<double>(kBytesPerKb
);
94 int unpack_rate_kb_per_s
=
95 static_cast<int>(file_size_kb
/ unpack_time
.InSecondsF());
96 UNPACK_RATE_HISTOGRAM("Extensions.SandboxUnpackRate", unpack_rate_kb_per_s
);
98 if (crx_file_size
< 50.0 * kBytesPerKb
) {
99 UNPACK_RATE_HISTOGRAM("Extensions.SandboxUnpackRateUnder50kB",
100 unpack_rate_kb_per_s
);
102 } else if (crx_file_size
< 1 * kBytesPerMb
) {
103 UNPACK_RATE_HISTOGRAM("Extensions.SandboxUnpackRate50kBTo1mB",
104 unpack_rate_kb_per_s
);
106 } else if (crx_file_size
< 2 * kBytesPerMb
) {
107 UNPACK_RATE_HISTOGRAM("Extensions.SandboxUnpackRate1To2mB",
108 unpack_rate_kb_per_s
);
110 } else if (crx_file_size
< 5 * kBytesPerMb
) {
111 UNPACK_RATE_HISTOGRAM("Extensions.SandboxUnpackRate2To5mB",
112 unpack_rate_kb_per_s
);
114 } else if (crx_file_size
< 10 * kBytesPerMb
) {
115 UNPACK_RATE_HISTOGRAM("Extensions.SandboxUnpackRate5To10mB",
116 unpack_rate_kb_per_s
);
119 UNPACK_RATE_HISTOGRAM("Extensions.SandboxUnpackRateOver10mB",
120 unpack_rate_kb_per_s
);
124 // Work horse for FindWritableTempLocation. Creates a temp file in the folder
125 // and uses NormalizeFilePath to check if the path is junction free.
126 bool VerifyJunctionFreeLocation(base::FilePath
* temp_dir
) {
127 if (temp_dir
->empty())
130 base::FilePath temp_file
;
131 if (!base::CreateTemporaryFileInDir(*temp_dir
, &temp_file
)) {
132 LOG(ERROR
) << temp_dir
->value() << " is not writable";
135 // NormalizeFilePath requires a non-empty file, so write some data.
136 // If you change the exit points of this function please make sure all
137 // exit points delete this temp file!
138 if (base::WriteFile(temp_file
, ".", 1) != 1)
141 base::FilePath normalized_temp_file
;
142 bool normalized
= base::NormalizeFilePath(temp_file
, &normalized_temp_file
);
144 // If |temp_file| contains a link, the sandbox will block al file system
145 // operations, and the install will fail.
146 LOG(ERROR
) << temp_dir
->value() << " seem to be on remote drive.";
148 *temp_dir
= normalized_temp_file
.DirName();
150 // Clean up the temp file.
151 base::DeleteFile(temp_file
, false);
156 // This function tries to find a location for unpacking the extension archive
157 // that is writable and does not lie on a shared drive so that the sandboxed
158 // unpacking process can write there. If no such location exists we can not
159 // proceed and should fail.
160 // The result will be written to |temp_dir|. The function will write to this
161 // parameter even if it returns false.
162 bool FindWritableTempLocation(const base::FilePath
& extensions_dir
,
163 base::FilePath
* temp_dir
) {
164 // On ChromeOS, we will only attempt to unpack extension in cryptohome (profile)
165 // directory to provide additional security/privacy and speed up the rest of
166 // the extension install process.
167 #if !defined(OS_CHROMEOS)
168 PathService::Get(base::DIR_TEMP
, temp_dir
);
169 if (VerifyJunctionFreeLocation(temp_dir
))
173 *temp_dir
= file_util::GetInstallTempDir(extensions_dir
);
174 if (VerifyJunctionFreeLocation(temp_dir
))
176 // Neither paths is link free chances are good installation will fail.
177 LOG(ERROR
) << "Both the %TEMP% folder and the profile seem to be on "
178 << "remote drives or read-only. Installation can not complete!";
182 // Read the decoded images back from the file we saved them to.
183 // |extension_path| is the path to the extension we unpacked that wrote the
184 // data. Returns true on success.
185 bool ReadImagesFromFile(const base::FilePath
& extension_path
,
186 DecodedImages
* images
) {
187 base::FilePath path
= extension_path
.AppendASCII(kDecodedImagesFilename
);
188 std::string file_str
;
189 if (!base::ReadFileToString(path
, &file_str
))
192 IPC::Message
pickle(file_str
.data(), file_str
.size());
193 PickleIterator
iter(pickle
);
194 return IPC::ReadParam(&pickle
, &iter
, images
);
197 // Read the decoded message catalogs back from the file we saved them to.
198 // |extension_path| is the path to the extension we unpacked that wrote the
199 // data. Returns true on success.
200 bool ReadMessageCatalogsFromFile(const base::FilePath
& extension_path
,
201 base::DictionaryValue
* catalogs
) {
202 base::FilePath path
=
203 extension_path
.AppendASCII(kDecodedMessageCatalogsFilename
);
204 std::string file_str
;
205 if (!base::ReadFileToString(path
, &file_str
))
208 IPC::Message
pickle(file_str
.data(), file_str
.size());
209 PickleIterator
iter(pickle
);
210 return IPC::ReadParam(&pickle
, &iter
, catalogs
);
215 SandboxedUnpackerClient::SandboxedUnpackerClient()
216 : RefCountedDeleteOnMessageLoop
<SandboxedUnpackerClient
>(
217 content::BrowserThread::GetMessageLoopProxyForThread(
218 content::BrowserThread::UI
)) {
219 DCHECK_CURRENTLY_ON(BrowserThread::UI
);
222 SandboxedUnpacker::SandboxedUnpacker(
223 const CRXFileInfo
& file
,
224 Manifest::Location location
,
226 const base::FilePath
& extensions_dir
,
227 const scoped_refptr
<base::SequencedTaskRunner
>& unpacker_io_task_runner
,
228 SandboxedUnpackerClient
* client
)
229 : crx_path_(file
.path
),
230 package_hash_(base::StringToLowerASCII(file
.expected_hash
)),
231 check_crx_hash_(false),
233 extensions_dir_(extensions_dir
),
234 got_response_(false),
236 creation_flags_(creation_flags
),
237 unpacker_io_task_runner_(unpacker_io_task_runner
) {
238 if (!package_hash_
.empty()) {
239 check_crx_hash_
= base::CommandLine::ForCurrentProcess()->HasSwitch(
240 extensions::switches::kEnableCrxHashCheck
);
244 bool SandboxedUnpacker::CreateTempDirectory() {
245 CHECK(unpacker_io_task_runner_
->RunsTasksOnCurrentThread());
247 base::FilePath temp_dir
;
248 if (!FindWritableTempLocation(extensions_dir_
, &temp_dir
)) {
249 ReportFailure(COULD_NOT_GET_TEMP_DIRECTORY
,
250 l10n_util::GetStringFUTF16(
251 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
252 ASCIIToUTF16("COULD_NOT_GET_TEMP_DIRECTORY")));
256 if (!temp_dir_
.CreateUniqueTempDirUnderPath(temp_dir
)) {
257 ReportFailure(COULD_NOT_CREATE_TEMP_DIRECTORY
,
258 l10n_util::GetStringFUTF16(
259 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
260 ASCIIToUTF16("COULD_NOT_CREATE_TEMP_DIRECTORY")));
267 void SandboxedUnpacker::Start() {
268 // We assume that we are started on the thread that the client wants us to do
270 CHECK(unpacker_io_task_runner_
->RunsTasksOnCurrentThread());
272 unpack_start_time_
= base::TimeTicks::Now();
274 PATH_LENGTH_HISTOGRAM("Extensions.SandboxUnpackInitialCrxPathLength",
276 if (!CreateTempDirectory())
277 return; // ReportFailure() already called.
279 // Initialize the path that will eventually contain the unpacked extension.
280 extension_root_
= temp_dir_
.path().AppendASCII(kTempExtensionName
);
281 PATH_LENGTH_HISTOGRAM("Extensions.SandboxUnpackUnpackedCrxPathLength",
284 // Extract the public key and validate the package.
285 if (!ValidateSignature())
286 return; // ValidateSignature() already reported the error.
288 // Copy the crx file into our working directory.
289 base::FilePath temp_crx_path
= temp_dir_
.path().Append(crx_path_
.BaseName());
290 PATH_LENGTH_HISTOGRAM("Extensions.SandboxUnpackTempCrxPathLength",
293 if (!base::CopyFile(crx_path_
, temp_crx_path
)) {
294 // Failed to copy extension file to temporary directory.
296 FAILED_TO_COPY_EXTENSION_FILE_TO_TEMP_DIRECTORY
,
297 l10n_util::GetStringFUTF16(
298 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
299 ASCIIToUTF16("FAILED_TO_COPY_EXTENSION_FILE_TO_TEMP_DIRECTORY")));
303 // The utility process will have access to the directory passed to
304 // SandboxedUnpacker. That directory should not contain a symlink or NTFS
305 // reparse point. When the path is used, following the link/reparse point
306 // will cause file system access outside the sandbox path, and the sandbox
307 // will deny the operation.
308 base::FilePath link_free_crx_path
;
309 if (!base::NormalizeFilePath(temp_crx_path
, &link_free_crx_path
)) {
310 LOG(ERROR
) << "Could not get the normalized path of "
311 << temp_crx_path
.value();
312 ReportFailure(COULD_NOT_GET_SANDBOX_FRIENDLY_PATH
,
313 l10n_util::GetStringUTF16(IDS_EXTENSION_UNPACK_FAILED
));
316 PATH_LENGTH_HISTOGRAM("Extensions.SandboxUnpackLinkFreeCrxPathLength",
319 BrowserThread::PostTask(BrowserThread::IO
, FROM_HERE
,
320 base::Bind(&SandboxedUnpacker::StartProcessOnIOThread
,
321 this, link_free_crx_path
));
324 SandboxedUnpacker::~SandboxedUnpacker() {
325 // To avoid blocking shutdown, don't delete temporary directory here if it
326 // hasn't been cleaned up or passed on to another owner yet.
330 bool SandboxedUnpacker::OnMessageReceived(const IPC::Message
& message
) {
332 IPC_BEGIN_MESSAGE_MAP(SandboxedUnpacker
, message
)
333 IPC_MESSAGE_HANDLER(ChromeUtilityHostMsg_UnpackExtension_Succeeded
,
334 OnUnpackExtensionSucceeded
)
335 IPC_MESSAGE_HANDLER(ChromeUtilityHostMsg_UnpackExtension_Failed
,
336 OnUnpackExtensionFailed
)
337 IPC_MESSAGE_UNHANDLED(handled
= false)
338 IPC_END_MESSAGE_MAP()
342 void SandboxedUnpacker::OnProcessCrashed(int exit_code
) {
343 // Don't report crashes if they happen after we got a response.
347 // Utility process crashed while trying to install.
349 UTILITY_PROCESS_CRASHED_WHILE_TRYING_TO_INSTALL
,
350 l10n_util::GetStringFUTF16(
351 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
352 ASCIIToUTF16("UTILITY_PROCESS_CRASHED_WHILE_TRYING_TO_INSTALL")) +
354 l10n_util::GetStringUTF16(IDS_EXTENSION_INSTALL_PROCESS_CRASHED
));
357 void SandboxedUnpacker::StartProcessOnIOThread(
358 const base::FilePath
& temp_crx_path
) {
359 UtilityProcessHost
* host
=
360 UtilityProcessHost::Create(this, unpacker_io_task_runner_
.get());
362 l10n_util::GetStringUTF16(IDS_UTILITY_PROCESS_EXTENSION_UNPACKER_NAME
));
363 // Grant the subprocess access to the entire subdir the extension file is
364 // in, so that it can unpack to that dir.
365 host
->SetExposedDir(temp_crx_path
.DirName());
366 host
->Send(new ChromeUtilityMsg_UnpackExtension(temp_crx_path
, extension_id_
,
367 location_
, creation_flags_
));
370 void SandboxedUnpacker::OnUnpackExtensionSucceeded(
371 const base::DictionaryValue
& manifest
) {
372 CHECK(unpacker_io_task_runner_
->RunsTasksOnCurrentThread());
373 got_response_
= true;
375 scoped_ptr
<base::DictionaryValue
> final_manifest(
376 RewriteManifestFile(manifest
));
380 // Create an extension object that refers to the temporary location the
381 // extension was unpacked to. We use this until the extension is finally
382 // installed. For example, the install UI shows images from inside the
385 // Localize manifest now, so confirm UI gets correct extension name.
387 // TODO(rdevlin.cronin): Continue removing std::string errors and replacing
388 // with base::string16
389 std::string utf8_error
;
390 if (!extension_l10n_util::LocalizeExtension(
391 extension_root_
, final_manifest
.get(), &utf8_error
)) {
393 COULD_NOT_LOCALIZE_EXTENSION
,
394 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_MESSAGE
,
395 base::UTF8ToUTF16(utf8_error
)));
400 Extension::Create(extension_root_
, location_
, *final_manifest
,
401 Extension::REQUIRE_KEY
| creation_flags_
, &utf8_error
);
403 if (!extension_
.get()) {
404 ReportFailure(INVALID_MANIFEST
,
405 ASCIIToUTF16("Manifest is invalid: " + utf8_error
));
409 SkBitmap install_icon
;
410 if (!RewriteImageFiles(&install_icon
))
413 if (!RewriteCatalogFiles())
416 ReportSuccess(manifest
, install_icon
);
419 void SandboxedUnpacker::OnUnpackExtensionFailed(const base::string16
& error
) {
420 CHECK(unpacker_io_task_runner_
->RunsTasksOnCurrentThread());
421 got_response_
= true;
423 UNPACKER_CLIENT_FAILED
,
424 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_MESSAGE
, error
));
427 static size_t ReadAndHash(void* ptr
,
431 scoped_ptr
<crypto::SecureHash
>& hash
) {
432 size_t len
= fread(ptr
, size
, nmemb
, stream
);
433 if (len
> 0 && hash
) {
434 hash
->Update(ptr
, len
* size
);
439 bool SandboxedUnpacker::FinalizeHash(scoped_ptr
<crypto::SecureHash
>& hash
) {
441 uint8 output
[crypto::kSHA256Length
];
442 hash
->Finish(output
, sizeof(output
));
443 std::string real_hash
=
444 base::StringToLowerASCII(base::HexEncode(output
, sizeof(output
)));
445 bool result
= (real_hash
== package_hash_
);
446 UMA_HISTOGRAM_BOOLEAN("Extensions.SandboxUnpackHashCheck", result
);
447 if (!result
&& check_crx_hash_
) {
448 // Package hash verification failed
449 LOG(ERROR
) << "Hash check failed for extension: " << extension_id_
450 << ", expected " << package_hash_
<< ", got " << real_hash
;
451 ReportFailure(CRX_HASH_VERIFICATION_FAILED
,
452 l10n_util::GetStringFUTF16(
453 IDS_EXTENSION_PACKAGE_ERROR_CODE
,
454 ASCIIToUTF16("CRX_HASH_VERIFICATION_FAILED")));
462 bool SandboxedUnpacker::ValidateSignature() {
463 base::ScopedFILE
file(base::OpenFile(crx_path_
, "rb"));
465 scoped_ptr
<crypto::SecureHash
> hash
;
467 if (!package_hash_
.empty()) {
468 hash
.reset(crypto::SecureHash::Create(crypto::SecureHash::SHA256
));
472 // Could not open crx file for reading.
474 // On windows, get the error code.
475 uint32 error_code
= ::GetLastError();
476 // TODO(skerner): Use this histogram to understand why so many
477 // windows users hit this error. crbug.com/69693
479 // Windows errors are unit32s, but all of likely errors are in
480 // [1, 1000]. See winerror.h for the meaning of specific values.
481 // Clip errors outside the expected range to a single extra value.
482 // If there are errors in that extra bucket, we will know to expand
484 const uint32 kMaxErrorToSend
= 1001;
485 error_code
= std::min(error_code
, kMaxErrorToSend
);
486 UMA_HISTOGRAM_ENUMERATION("Extensions.ErrorCodeFromCrxOpen", error_code
,
491 CRX_FILE_NOT_READABLE
,
492 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_CODE
,
493 ASCIIToUTF16("CRX_FILE_NOT_READABLE")));
497 // Read and verify the header.
498 // TODO(erikkay): Yuck. I'm not a big fan of this kind of code, but it
499 // appears that we don't have any endian/alignment aware serialization
500 // code in the code base. So for now, this assumes that we're running
501 // on a little endian machine with 4 byte alignment.
502 CrxFile::Header header
;
503 size_t len
= ReadAndHash(&header
, 1, sizeof(header
), file
.get(), hash
);
504 if (len
< sizeof(header
)) {
505 // Invalid crx header
506 ReportFailure(CRX_HEADER_INVALID
, l10n_util::GetStringFUTF16(
507 IDS_EXTENSION_PACKAGE_ERROR_CODE
,
508 ASCIIToUTF16("CRX_HEADER_INVALID")));
512 CrxFile::Error error
;
513 scoped_ptr
<CrxFile
> crx(CrxFile::Parse(header
, &error
));
516 case CrxFile::kWrongMagic
:
517 ReportFailure(CRX_MAGIC_NUMBER_INVALID
,
518 l10n_util::GetStringFUTF16(
519 IDS_EXTENSION_PACKAGE_ERROR_CODE
,
520 ASCIIToUTF16("CRX_MAGIC_NUMBER_INVALID")));
522 case CrxFile::kInvalidVersion
:
524 ReportFailure(CRX_VERSION_NUMBER_INVALID
,
525 l10n_util::GetStringFUTF16(
526 IDS_EXTENSION_PACKAGE_ERROR_CODE
,
527 ASCIIToUTF16("CRX_VERSION_NUMBER_INVALID")));
529 case CrxFile::kInvalidKeyTooLarge
:
530 case CrxFile::kInvalidSignatureTooLarge
:
531 // Excessively large key or signature
533 CRX_EXCESSIVELY_LARGE_KEY_OR_SIGNATURE
,
534 l10n_util::GetStringFUTF16(
535 IDS_EXTENSION_PACKAGE_ERROR_CODE
,
536 ASCIIToUTF16("CRX_EXCESSIVELY_LARGE_KEY_OR_SIGNATURE")));
538 case CrxFile::kInvalidKeyTooSmall
:
539 // Key length is zero
542 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_CODE
,
543 ASCIIToUTF16("CRX_ZERO_KEY_LENGTH")));
545 case CrxFile::kInvalidSignatureTooSmall
:
546 // Signature length is zero
547 ReportFailure(CRX_ZERO_SIGNATURE_LENGTH
,
548 l10n_util::GetStringFUTF16(
549 IDS_EXTENSION_PACKAGE_ERROR_CODE
,
550 ASCIIToUTF16("CRX_ZERO_SIGNATURE_LENGTH")));
556 std::vector
<uint8
> key
;
557 key
.resize(header
.key_size
);
558 len
= ReadAndHash(&key
.front(), sizeof(uint8
), header
.key_size
, file
.get(),
560 if (len
< header
.key_size
) {
561 // Invalid public key
563 CRX_PUBLIC_KEY_INVALID
,
564 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_CODE
,
565 ASCIIToUTF16("CRX_PUBLIC_KEY_INVALID")));
569 std::vector
<uint8
> signature
;
570 signature
.resize(header
.signature_size
);
571 len
= ReadAndHash(&signature
.front(), sizeof(uint8
), header
.signature_size
,
573 if (len
< header
.signature_size
) {
576 CRX_SIGNATURE_INVALID
,
577 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_ERROR_CODE
,
578 ASCIIToUTF16("CRX_SIGNATURE_INVALID")));
582 crypto::SignatureVerifier verifier
;
583 if (!verifier
.VerifyInit(
584 crx_file::kSignatureAlgorithm
, sizeof(crx_file::kSignatureAlgorithm
),
585 &signature
.front(), signature
.size(), &key
.front(), key
.size())) {
586 // Signature verification initialization failed. This is most likely
587 // caused by a public key in the wrong format (should encode algorithm).
589 CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED
,
590 l10n_util::GetStringFUTF16(
591 IDS_EXTENSION_PACKAGE_ERROR_CODE
,
592 ASCIIToUTF16("CRX_SIGNATURE_VERIFICATION_INITIALIZATION_FAILED")));
596 unsigned char buf
[1 << 12];
597 while ((len
= ReadAndHash(buf
, 1, sizeof(buf
), file
.get(), hash
)) > 0)
598 verifier
.VerifyUpdate(buf
, len
);
600 if (!verifier
.VerifyFinal()) {
601 // Signature verification failed
602 ReportFailure(CRX_SIGNATURE_VERIFICATION_FAILED
,
603 l10n_util::GetStringFUTF16(
604 IDS_EXTENSION_PACKAGE_ERROR_CODE
,
605 ASCIIToUTF16("CRX_SIGNATURE_VERIFICATION_FAILED")));
609 std::string public_key
=
610 std::string(reinterpret_cast<char*>(&key
.front()), key
.size());
611 base::Base64Encode(public_key
, &public_key_
);
613 extension_id_
= crx_file::id_util::GenerateId(public_key
);
615 return FinalizeHash(hash
);
618 void SandboxedUnpacker::ReportFailure(FailureReason reason
,
619 const base::string16
& error
) {
620 UMA_HISTOGRAM_ENUMERATION("Extensions.SandboxUnpackFailureReason", reason
,
621 NUM_FAILURE_REASONS
);
622 UMA_HISTOGRAM_TIMES("Extensions.SandboxUnpackFailureTime",
623 base::TimeTicks::Now() - unpack_start_time_
);
626 CrxInstallError
error_info(reason
== CRX_HASH_VERIFICATION_FAILED
627 ? CrxInstallError::ERROR_HASH_MISMATCH
628 : CrxInstallError::ERROR_OTHER
,
631 client_
->OnUnpackFailure(error_info
);
634 void SandboxedUnpacker::ReportSuccess(
635 const base::DictionaryValue
& original_manifest
,
636 const SkBitmap
& install_icon
) {
637 UMA_HISTOGRAM_COUNTS("Extensions.SandboxUnpackSuccess", 1);
639 RecordSuccessfulUnpackTimeHistograms(
640 crx_path_
, base::TimeTicks::Now() - unpack_start_time_
);
642 // Client takes ownership of temporary directory and extension.
643 client_
->OnUnpackSuccess(temp_dir_
.Take(), extension_root_
,
644 &original_manifest
, extension_
.get(), install_icon
);
648 base::DictionaryValue
* SandboxedUnpacker::RewriteManifestFile(
649 const base::DictionaryValue
& manifest
) {
650 // Add the public key extracted earlier to the parsed manifest and overwrite
651 // the original manifest. We do this to ensure the manifest doesn't contain an
652 // exploitable bug that could be used to compromise the browser.
653 scoped_ptr
<base::DictionaryValue
> final_manifest(manifest
.DeepCopy());
654 final_manifest
->SetString(manifest_keys::kPublicKey
, public_key_
);
656 std::string manifest_json
;
657 JSONStringValueSerializer
serializer(&manifest_json
);
658 serializer
.set_pretty_print(true);
659 if (!serializer
.Serialize(*final_manifest
)) {
660 // Error serializing manifest.json.
661 ReportFailure(ERROR_SERIALIZING_MANIFEST_JSON
,
662 l10n_util::GetStringFUTF16(
663 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
664 ASCIIToUTF16("ERROR_SERIALIZING_MANIFEST_JSON")));
668 base::FilePath manifest_path
= extension_root_
.Append(kManifestFilename
);
669 int size
= base::checked_cast
<int>(manifest_json
.size());
670 if (base::WriteFile(manifest_path
, manifest_json
.data(), size
) != size
) {
671 // Error saving manifest.json.
673 ERROR_SAVING_MANIFEST_JSON
,
674 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
675 ASCIIToUTF16("ERROR_SAVING_MANIFEST_JSON")));
679 return final_manifest
.release();
682 bool SandboxedUnpacker::RewriteImageFiles(SkBitmap
* install_icon
) {
683 DecodedImages images
;
684 if (!ReadImagesFromFile(temp_dir_
.path(), &images
)) {
685 // Couldn't read image data from disk.
686 ReportFailure(COULD_NOT_READ_IMAGE_DATA_FROM_DISK
,
687 l10n_util::GetStringFUTF16(
688 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
689 ASCIIToUTF16("COULD_NOT_READ_IMAGE_DATA_FROM_DISK")));
693 // Delete any images that may be used by the browser. We're going to write
694 // out our own versions of the parsed images, and we want to make sure the
695 // originals are gone for good.
696 std::set
<base::FilePath
> image_paths
=
697 ExtensionsClient::Get()->GetBrowserImagePaths(extension_
.get());
698 if (image_paths
.size() != images
.size()) {
699 // Decoded images don't match what's in the manifest.
701 DECODED_IMAGES_DO_NOT_MATCH_THE_MANIFEST
,
702 l10n_util::GetStringFUTF16(
703 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
704 ASCIIToUTF16("DECODED_IMAGES_DO_NOT_MATCH_THE_MANIFEST")));
708 for (std::set
<base::FilePath
>::iterator it
= image_paths
.begin();
709 it
!= image_paths
.end(); ++it
) {
710 base::FilePath path
= *it
;
711 if (path
.IsAbsolute() || path
.ReferencesParent()) {
712 // Invalid path for browser image.
713 ReportFailure(INVALID_PATH_FOR_BROWSER_IMAGE
,
714 l10n_util::GetStringFUTF16(
715 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
716 ASCIIToUTF16("INVALID_PATH_FOR_BROWSER_IMAGE")));
719 if (!base::DeleteFile(extension_root_
.Append(path
), false)) {
720 // Error removing old image file.
721 ReportFailure(ERROR_REMOVING_OLD_IMAGE_FILE
,
722 l10n_util::GetStringFUTF16(
723 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
724 ASCIIToUTF16("ERROR_REMOVING_OLD_IMAGE_FILE")));
729 const std::string
& install_icon_path
=
730 IconsInfo::GetIcons(extension_
.get())
731 .Get(extension_misc::EXTENSION_ICON_LARGE
,
732 ExtensionIconSet::MATCH_BIGGER
);
734 // Write our parsed images back to disk as well.
735 for (size_t i
= 0; i
< images
.size(); ++i
) {
736 if (BrowserThread::GetBlockingPool()->IsShutdownInProgress()) {
737 // Abort package installation if shutdown was initiated, crbug.com/235525
739 ABORTED_DUE_TO_SHUTDOWN
,
740 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
741 ASCIIToUTF16("ABORTED_DUE_TO_SHUTDOWN")));
745 const SkBitmap
& image
= get
<0>(images
[i
]);
746 base::FilePath path_suffix
= get
<1>(images
[i
]);
747 if (path_suffix
.MaybeAsASCII() == install_icon_path
)
748 *install_icon
= image
;
750 if (path_suffix
.IsAbsolute() || path_suffix
.ReferencesParent()) {
751 // Invalid path for bitmap image.
752 ReportFailure(INVALID_PATH_FOR_BITMAP_IMAGE
,
753 l10n_util::GetStringFUTF16(
754 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
755 ASCIIToUTF16("INVALID_PATH_FOR_BITMAP_IMAGE")));
758 base::FilePath path
= extension_root_
.Append(path_suffix
);
760 std::vector
<unsigned char> image_data
;
761 // TODO(mpcomplete): It's lame that we're encoding all images as PNG, even
762 // though they may originally be .jpg, etc. Figure something out.
763 // http://code.google.com/p/chromium/issues/detail?id=12459
764 if (!gfx::PNGCodec::EncodeBGRASkBitmap(image
, false, &image_data
)) {
765 // Error re-encoding theme image.
766 ReportFailure(ERROR_RE_ENCODING_THEME_IMAGE
,
767 l10n_util::GetStringFUTF16(
768 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
769 ASCIIToUTF16("ERROR_RE_ENCODING_THEME_IMAGE")));
773 // Note: we're overwriting existing files that the utility process wrote,
774 // so we can be sure the directory exists.
775 const char* image_data_ptr
= reinterpret_cast<const char*>(&image_data
[0]);
776 int size
= base::checked_cast
<int>(image_data
.size());
777 if (base::WriteFile(path
, image_data_ptr
, size
) != size
) {
778 // Error saving theme image.
780 ERROR_SAVING_THEME_IMAGE
,
781 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
782 ASCIIToUTF16("ERROR_SAVING_THEME_IMAGE")));
790 bool SandboxedUnpacker::RewriteCatalogFiles() {
791 base::DictionaryValue catalogs
;
792 if (!ReadMessageCatalogsFromFile(temp_dir_
.path(), &catalogs
)) {
793 // Could not read catalog data from disk.
794 ReportFailure(COULD_NOT_READ_CATALOG_DATA_FROM_DISK
,
795 l10n_util::GetStringFUTF16(
796 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
797 ASCIIToUTF16("COULD_NOT_READ_CATALOG_DATA_FROM_DISK")));
801 // Write our parsed catalogs back to disk.
802 for (base::DictionaryValue::Iterator
it(catalogs
); !it
.IsAtEnd();
804 const base::DictionaryValue
* catalog
= NULL
;
805 if (!it
.value().GetAsDictionary(&catalog
)) {
806 // Invalid catalog data.
808 INVALID_CATALOG_DATA
,
809 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
810 ASCIIToUTF16("INVALID_CATALOG_DATA")));
814 base::FilePath relative_path
= base::FilePath::FromUTF8Unsafe(it
.key());
815 relative_path
= relative_path
.Append(kMessagesFilename
);
816 if (relative_path
.IsAbsolute() || relative_path
.ReferencesParent()) {
817 // Invalid path for catalog.
819 INVALID_PATH_FOR_CATALOG
,
820 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
821 ASCIIToUTF16("INVALID_PATH_FOR_CATALOG")));
824 base::FilePath path
= extension_root_
.Append(relative_path
);
826 std::string catalog_json
;
827 JSONStringValueSerializer
serializer(&catalog_json
);
828 serializer
.set_pretty_print(true);
829 if (!serializer
.Serialize(*catalog
)) {
830 // Error serializing catalog.
831 ReportFailure(ERROR_SERIALIZING_CATALOG
,
832 l10n_util::GetStringFUTF16(
833 IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
834 ASCIIToUTF16("ERROR_SERIALIZING_CATALOG")));
838 // Note: we're overwriting existing files that the utility process read,
839 // so we can be sure the directory exists.
840 int size
= base::checked_cast
<int>(catalog_json
.size());
841 if (base::WriteFile(path
, catalog_json
.c_str(), size
) != size
) {
842 // Error saving catalog.
844 ERROR_SAVING_CATALOG
,
845 l10n_util::GetStringFUTF16(IDS_EXTENSION_PACKAGE_INSTALL_ERROR
,
846 ASCIIToUTF16("ERROR_SAVING_CATALOG")));
854 void SandboxedUnpacker::Cleanup() {
855 DCHECK(unpacker_io_task_runner_
->RunsTasksOnCurrentThread());
856 if (!temp_dir_
.Delete()) {
857 LOG(WARNING
) << "Can not delete temp directory at "
858 << temp_dir_
.path().value();
862 } // namespace extensions