Add new certificateProvider extension API.
[chromium-blink-merge.git] / chrome / browser / download / download_extensions.cc
blob364ef338e1d5075931c406b2d404e0e1e10053eb
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <set>
6 #include <string>
8 #include "chrome/browser/download/download_extensions.h"
10 #include "base/strings/string_util.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "net/base/mime_util.h"
13 #include "net/base/net_util.h"
15 namespace download_util {
17 // For file extensions taken from mozilla:
19 /* ***** BEGIN LICENSE BLOCK *****
20 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
22 * The contents of this file are subject to the Mozilla Public License Version
23 * 1.1 (the "License"); you may not use this file except in compliance with
24 * the License. You may obtain a copy of the License at
25 * http://www.mozilla.org/MPL/
27 * Software distributed under the License is distributed on an "AS IS" basis,
28 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
29 * for the specific language governing rights and limitations under the
30 * License.
32 * The Original Code is Mozilla Communicator client code, released
33 * March 31, 1998.
35 * The Initial Developer of the Original Code is
36 * Netscape Communications Corporation.
37 * Portions created by the Initial Developer are Copyright (C) 1998-1999
38 * the Initial Developer. All Rights Reserved.
40 * Contributor(s):
41 * Doug Turner <dougt@netscape.com>
42 * Dean Tessman <dean_tessman@hotmail.com>
43 * Brodie Thiesfield <brofield@jellycan.com>
44 * Jungshik Shin <jshin@i18nl10n.com>
46 * Alternatively, the contents of this file may be used under the terms of
47 * either of the GNU General Public License Version 2 or later (the "GPL"),
48 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
49 * in which case the provisions of the GPL or the LGPL are applicable instead
50 * of those above. If you wish to allow use of your version of this file only
51 * under the terms of either the GPL or the LGPL, and not to allow others to
52 * use your version of this file under the terms of the MPL, indicate your
53 * decision by deleting the provisions above and replace them with the notice
54 * and other provisions required by the GPL or the LGPL. If you do not delete
55 * the provisions above, a recipient may use your version of this file under
56 * the terms of any one of the MPL, the GPL or the LGPL.
58 * ***** END LICENSE BLOCK ***** */
60 namespace {
62 enum DownloadAutoOpenHint {
63 ALLOW_AUTO_OPEN,
65 // The file type should not be allowed to open automatically.
67 // Criteria for disallowing a file type from opening automatically:
69 // Includes file types that upon opening may either:
70 // * ... execute arbitrary or harmful code with user privileges.
71 // * ... change configuration of the system to cause harmful behavior
72 // immediately or at some time in the future.
74 // Doesn't include file types that upon opening:
75 // * ... sufficiently warn the user about the fact that:
76 // - This file was downloaded from the internet.
77 // - Opening it can make specified changes to the system.
78 // (Note that any such warnings need to be displayed prior to the harmful
79 // logic being executed).
80 // * ... does nothing particularly dangerous, despite the act of downloading
81 // itself being dangerous (E.g. .local and .manifest files).
82 DISALLOW_AUTO_OPEN,
85 // Guidelines for adding a new dangerous file type:
87 // * Include a comment above the file type that:
88 // - Describes the file type.
89 // - Justifies why it is considered dangerous if this isn't obvious from the
90 // description.
91 // - Justifies why the file type is disallowed from auto opening, if
92 // necessary.
93 // * Add the file extension to the kDangerousFileTypes array in
94 // download_stats.cc.
96 // TODO(asanka): All file types listed below should have descriptions.
97 const struct FileType {
98 const char* extension; // Extension sans leading extension separator.
99 DownloadDangerLevel danger_level;
100 DownloadAutoOpenHint auto_open_hint;
101 } kDownloadFileTypes[] = {
102 // Some files are dangerous on all platforms.
104 // Flash files downloaded locally can sometimes access the local filesystem.
105 {"swf", DANGEROUS, DISALLOW_AUTO_OPEN},
106 {"spl", DANGEROUS, DISALLOW_AUTO_OPEN},
108 // Chrome extensions should be obtained through the web store. Allowed to
109 // open automatically because Chrome displays a prompt prior to
110 // installation.
111 {"crx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
113 // Windows, all file categories. The list is in alphabetical order of
114 // extensions. Exceptions are made for logical groupings of file types.
116 // Some file descriptions are based on
117 // https://support.office.com/article/Blocked-attachments-in-Outlook-3811cddc-17c3-4279-a30c-060ba0207372
118 #if defined(OS_WIN)
119 {"ad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
121 // Microsoft Access related.
122 {"ade", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Project extension
123 {"adp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Project.
124 {"mad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Module Shortcut.
125 {"maf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
126 {"mag", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Diagram Shortcut.
127 {"mam", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Macro Shortcut.
128 {"maq", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Query Shortcut.
129 {"mar", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Report Shortcut.
130 {"mas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Stored Procedures.
131 {"mat", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Table Shortcut.
132 {"mav", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // View Shortcut.
133 {"maw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Data Access Page.
134 {"mda", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Access Add-in.
135 {"mdb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Database.
136 {"mde", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Database.
137 {"mdt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Add-in Data.
138 {"mdw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Workgroup Information.
139 {"mdz", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Wizard Template.
141 // Executable Application.
142 {"app", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
144 // Microsoft ClickOnce depolyment manifest. By default, opens with
145 // dfshim.dll which should prompt the user before running untrusted code.
146 {"application", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
147 // ClickOnce application reference. Basically a .lnk for ClickOnce apps.
148 {"appref-ms", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
150 // Active Server Pages source file.
151 {"asp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
153 // Advanced Stream Redirector. Contains a playlist of media files.
154 {"asx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
156 // Microsoft Visual Basic source file. Opens by default in an editor.
157 {"bas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
159 // Command script.
160 {"bat", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
162 {"cfg", DANGEROUS, ALLOW_AUTO_OPEN},
164 // Windows Compiled HTML Help files.
165 {"chi", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
166 {"chm", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
168 // Command script.
169 {"cmd", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
171 // Windows legacy executable.
172 {"com", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
174 // Control panel tool. Executable.
175 {"cpl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
177 // Signed certificate file.
178 {"crt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
180 // Windows executables.
181 {"dll", DANGEROUS, DISALLOW_AUTO_OPEN},
182 {"drv", DANGEROUS, DISALLOW_AUTO_OPEN},
183 {"exe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
185 // Font file, uses Portable Executable or New Executable format. Not
186 // supposed to contain executable code.
187 {"fon", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
189 // Microsoft FoxPro Compiled Source.
190 {"fxp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
192 // Windows Sidebar Gadget (Vista & Win 7). ZIP archive containing html + js.
193 // Deprecated by Microsoft. Can run arbitrary code with user privileges.
194 // (https://technet.microsoft.com/library/security/2719662)
195 {"gadget", DANGEROUS, DISALLOW_AUTO_OPEN},
197 // MSProgramGroup (?).
198 {"grp", DANGEROUS, ALLOW_AUTO_OPEN},
200 // Windows legacy help file format.
201 {"hlp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
203 // HTML Application. Executes as a fully trusted application.
204 {"hta", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
206 // Hypertext Template File. See https://support.microsoft.com/kb/181689.
207 {"htt", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
209 // Device installation information.
210 {"inf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
212 // Generic configuration file.
213 {"ini", DANGEROUS, ALLOW_AUTO_OPEN},
215 // Microsoft IIS Internet Communication Settings.
216 {"ins", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
218 // Microsoft IIS Internet Service Provider Settings.
219 {"isp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
221 // JavaScript file. May open using Windows Script Host with user level
222 // privileges.
223 {"js", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
225 // JScript encoded script file. Usually produced by running Microsoft Script
226 // Encoder over a .js file.
227 // See https://msdn.microsoft.com/library/d14c8zsc.aspx
228 {"jse", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
230 // Shortcuts. May open anything.
231 {"lnk", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
233 // .local files affect DLL search path for .exe file with same base name.
234 {"local", DANGEROUS, ALLOW_AUTO_OPEN},
236 // While being a generic name, having a .manifest file with the same
237 // basename as .exe file (foo.exe + foo.exe.manifest) changes the dll search
238 // order for the .exe file. Downloading this kind of file to the users'
239 // download directory is almost always the wrong thing to do.
240 {"manifest", DANGEROUS, ALLOW_AUTO_OPEN},
242 // Media Attachment Unit.
243 {"mau", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
245 // Multipart HTML.
246 {"mht", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
247 {"mhtml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
249 {"mmc", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
250 {"mof", DANGEROUS, ALLOW_AUTO_OPEN},
252 // Microsoft Management Console Snap-in. Contains executable code.
253 {"msc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
255 // Microsoft Shell.
256 {"msh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
257 {"msh1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
258 {"msh2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
259 {"mshxml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
260 {"msh1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
261 {"msh2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
263 // Windows Installer.
264 {"msi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
265 {"msp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
266 {"mst", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
268 // ActiveX Control.
269 {"ocx", DANGEROUS, DISALLOW_AUTO_OPEN},
271 // Microsoft Office Profile Settings File.
272 {"ops", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
274 // Microsoft Visual Test.
275 {"pcd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
277 // Program Information File. Originally intended to configure execution
278 // environment for legacy DOS files. They aren't meant to contain executable
279 // code. But Windows may execute a PIF file that is sniffed as a PE file.
280 {"pif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
282 // Developer Studio Build Log.
283 {"plg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
285 // Windows System File.
286 {"prf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
288 // Program File.
289 {"prg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
291 // Microsoft Exchange Address Book File. Microsoft Outlook Personal Folder
292 // File.
293 {"pst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
295 // Microsoft Windows PowerShell.
296 {"ps1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
297 {"ps1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
298 {"ps2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
299 {"ps2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
300 {"psc1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
301 {"psc2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
303 // Registry file. Opening may cause registry settings to change. Users still
304 // need to click through a prompt. So we could consider relaxing the
305 // DISALLOW_AUTO_OPEN restriction.
306 {"reg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
308 // Microsoft Windows Explorer Command.
309 // See https://support.microsoft.com/kb/190355 for an example.
310 {"scf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
312 // Microsoft Windows Screen Saver.
313 {"scr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
315 // Microsoft Windows Script Component. Microsoft FoxPro Screen.
316 // A Script Component is a COM component created using script.
317 // See https://msdn.microsoft.com/library/aa233148.aspx for an example.
318 {"sct", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
320 // Microsoft Windows Shortcut into a document.
321 // See https://support.microsoft.com/kb/212344
322 {"shb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
324 // Shell Scrap Object File.
325 {"shs", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
327 // System executable. Windows tries hard to prevent you from opening these
328 // types of files.
329 {"sys", DANGEROUS, DISALLOW_AUTO_OPEN},
331 // Internet Shortcut (new since IE9). Both .url and .website are .ini files
332 // that describe a shortcut that points to a URL. They can point at
333 // anything. Dropping a download of this type and opening it automatically
334 // can in effect sidestep origin restrictions etc.
335 {"url", DANGEROUS, DISALLOW_AUTO_OPEN},
336 {"website", DANGEROUS, DISALLOW_AUTO_OPEN},
338 // VBScript files. My open with Windows Script Host and execute with user
339 // privileges.
340 {"vb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
341 {"vbe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
342 {"vbs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
344 {"vsd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
346 // Microsoft Visual Studio Binary-based Macro Project.
347 {"vsmacros", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
349 {"vss", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
350 {"vst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
352 // Microsoft Visio Workspace.
353 {"vsw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
355 // Windows Script Host related.
356 {"ws", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
357 {"wsc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
358 {"wsf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
359 {"wsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
361 // XAML Browser Application.
362 {"xbap", DANGEROUS, DISALLOW_AUTO_OPEN},
364 // Microsoft Exchange Public Folder Shortcut.
365 {"xnk", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
366 #endif // OS_WIN
368 // Java.
369 #if !defined(OS_CHROMEOS)
370 {"class", DANGEROUS, DISALLOW_AUTO_OPEN},
371 {"jar", DANGEROUS, DISALLOW_AUTO_OPEN},
372 {"jnlp", DANGEROUS, DISALLOW_AUTO_OPEN},
373 #endif
375 #if !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
376 // Scripting languages. (Shells are handled below.)
377 {"pl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
378 {"py", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
379 {"pyc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
380 {"pyw", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
381 {"rb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
383 // Extensible Firmware Interface executable.
384 {"efi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
385 #endif
387 // Shell languages. (OS_ANDROID is OS_POSIX.) OS_WIN shells are handled above.
388 #if defined(OS_POSIX)
389 {"bash", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
390 {"csh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
391 {"ksh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
392 {"sh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
393 {"shar", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
394 {"tcsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
395 #endif
396 #if defined(OS_MACOSX)
397 {"command", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
398 #endif
400 // Package management formats. OS_WIN package formats are handled above.
401 #if defined(OS_MACOSX) || defined(OS_LINUX)
402 {"pkg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
403 #endif
404 #if defined(OS_LINUX)
405 {"deb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
406 {"rpm", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
407 #endif
408 #if defined(OS_ANDROID)
409 {"dex", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
410 #endif
413 // FileType for files with an empty extension.
414 const FileType kEmptyFileType = {nullptr, NOT_DANGEROUS, DISALLOW_AUTO_OPEN};
416 // Default FileType for non-empty extensions that aren't in the list above.
417 const FileType kUnknownFileType = {nullptr, NOT_DANGEROUS, ALLOW_AUTO_OPEN};
419 const FileType& GetFileType(const base::FilePath& path) {
420 base::FilePath::StringType extension(path.FinalExtension());
421 if (extension.empty())
422 return kEmptyFileType;
423 if (!base::IsStringASCII(extension))
424 return kUnknownFileType;
425 #if defined(OS_WIN)
426 std::string ascii_extension = base::UTF16ToASCII(extension);
427 #elif defined(OS_POSIX)
428 std::string ascii_extension = extension;
429 #endif
431 // Strip out leading dot if it's still there
432 if (ascii_extension[0] == base::FilePath::kExtensionSeparator)
433 ascii_extension.erase(0, 1);
435 for (const auto& file_type : kDownloadFileTypes) {
436 if (base::LowerCaseEqualsASCII(ascii_extension, file_type.extension))
437 return file_type;
440 return kUnknownFileType;
443 } // namespace
445 DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
446 return GetFileType(path).danger_level;
449 bool IsAllowedToOpenAutomatically(const base::FilePath& path) {
450 return GetFileType(path).auto_open_hint == ALLOW_AUTO_OPEN;
453 } // namespace download_util