1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include "extensions/common/file_util.h"
13 #include "base/files/file_enumerator.h"
14 #include "base/files/file_path.h"
15 #include "base/files/file_util.h"
16 #include "base/files/scoped_temp_dir.h"
17 #include "base/json/json_file_value_serializer.h"
18 #include "base/logging.h"
19 #include "base/memory/scoped_ptr.h"
20 #include "base/metrics/field_trial.h"
21 #include "base/metrics/histogram.h"
22 #include "base/strings/stringprintf.h"
23 #include "base/strings/utf_string_conversions.h"
24 #include "base/threading/thread_restrictions.h"
25 #include "base/time/time.h"
26 #include "extensions/common/constants.h"
27 #include "extensions/common/extension.h"
28 #include "extensions/common/extension_icon_set.h"
29 #include "extensions/common/extension_l10n_util.h"
30 #include "extensions/common/extension_set.h"
31 #include "extensions/common/install_warning.h"
32 #include "extensions/common/manifest.h"
33 #include "extensions/common/manifest_constants.h"
34 #include "extensions/common/manifest_handler.h"
35 #include "extensions/common/manifest_handlers/default_locale_handler.h"
36 #include "extensions/common/manifest_handlers/icons_handler.h"
37 #include "extensions/common/manifest_handlers/shared_module_info.h"
38 #include "grit/extensions_strings.h"
39 #include "net/base/escape.h"
40 #include "net/base/filename_util.h"
41 #include "ui/base/l10n/l10n_util.h"
44 namespace extensions
{
48 // Returns true if the given file path exists and is not zero-length.
49 bool ValidateFilePath(const base::FilePath
& path
) {
51 if (!base::PathExists(path
) ||
52 !base::GetFileSize(path
, &size
) ||
60 // Returns true if the extension installation should flush all files and the
62 bool UseSafeInstallation() {
63 const char kFieldTrialName
[] = "ExtensionUseSafeInstallation";
64 const char kEnable
[] = "Enable";
65 return base::FieldTrialList::FindFullName(kFieldTrialName
) == kEnable
;
68 enum FlushOneOrAllFiles
{
73 // Flush all files in a directory or just one. When flushing all files, it
74 // makes sure every file is on disk. When flushing one file only, it ensures
75 // all parent directories are on disk.
76 void FlushFilesInDir(const base::FilePath
& path
,
77 FlushOneOrAllFiles one_or_all_files
) {
78 if (!UseSafeInstallation()) {
81 base::FileEnumerator
temp_traversal(path
,
83 base::FileEnumerator::FILES
);
84 for (base::FilePath current
= temp_traversal
.Next(); !current
.empty();
85 current
= temp_traversal
.Next()) {
86 base::File
currentFile(current
,
87 base::File::FLAG_OPEN
| base::File::FLAG_WRITE
);
90 if (one_or_all_files
== ONE_FILE_ONLY
) {
98 const base::FilePath::CharType kTempDirectoryName
[] = FILE_PATH_LITERAL("Temp");
100 base::FilePath
InstallExtension(const base::FilePath
& unpacked_source_dir
,
101 const std::string
& id
,
102 const std::string
& version
,
103 const base::FilePath
& extensions_dir
) {
104 base::FilePath extension_dir
= extensions_dir
.AppendASCII(id
);
105 base::FilePath version_dir
;
107 // Create the extension directory if it doesn't exist already.
108 if (!base::PathExists(extension_dir
)) {
109 if (!base::CreateDirectory(extension_dir
))
110 return base::FilePath();
113 // Get a temp directory on the same file system as the profile.
114 base::FilePath install_temp_dir
= GetInstallTempDir(extensions_dir
);
115 base::ScopedTempDir extension_temp_dir
;
116 if (install_temp_dir
.empty() ||
117 !extension_temp_dir
.CreateUniqueTempDirUnderPath(install_temp_dir
)) {
118 LOG(ERROR
) << "Creating of temp dir under in the profile failed.";
119 return base::FilePath();
121 base::FilePath crx_temp_source
=
122 extension_temp_dir
.path().Append(unpacked_source_dir
.BaseName());
123 if (!base::Move(unpacked_source_dir
, crx_temp_source
)) {
124 LOG(ERROR
) << "Moving extension from : " << unpacked_source_dir
.value()
125 << " to : " << crx_temp_source
.value() << " failed.";
126 return base::FilePath();
129 // Try to find a free directory. There can be legitimate conflicts in the case
130 // of overinstallation of the same version.
131 const int kMaxAttempts
= 100;
132 for (int i
= 0; i
< kMaxAttempts
; ++i
) {
133 base::FilePath candidate
= extension_dir
.AppendASCII(
134 base::StringPrintf("%s_%u", version
.c_str(), i
));
135 if (!base::PathExists(candidate
)) {
136 version_dir
= candidate
;
141 if (version_dir
.empty()) {
142 LOG(ERROR
) << "Could not find a home for extension " << id
<< " with "
143 << "version " << version
<< ".";
144 return base::FilePath();
147 base::TimeTicks start_time
= base::TimeTicks::Now();
149 // Flush the source dir completely before moving to make sure everything is
150 // on disk. Otherwise a sudden power loss could cause the newly installed
151 // extension to be in a corrupted state. Note that empty sub-directories
152 // may still be lost.
153 FlushFilesInDir(crx_temp_source
, ALL_FILES
);
155 // The target version_dir does not exists yet, so base::Move() is using
156 // rename() on POSIX systems. It is atomic in the sense that it will
157 // either complete successfully or in the event of data loss be reverted.
158 if (!base::Move(crx_temp_source
, version_dir
)) {
159 LOG(ERROR
) << "Installing extension from : " << crx_temp_source
.value()
160 << " into : " << version_dir
.value() << " failed.";
161 return base::FilePath();
164 // Flush one file in the new version_dir to make sure the dir move above is
165 // persisted on disk. This is guaranteed on POSIX systems. ExtensionPrefs
166 // is going to be updated with the new version_dir later. In the event of
167 // data loss ExtensionPrefs should be pointing to the previous version which
169 FlushFilesInDir(version_dir
, ONE_FILE_ONLY
);
171 UMA_HISTOGRAM_TIMES("Extensions.FileInstallation",
172 base::TimeTicks::Now() - start_time
);
177 void UninstallExtension(const base::FilePath
& extensions_dir
,
178 const std::string
& id
) {
179 // We don't care about the return value. If this fails (and it can, due to
180 // plugins that aren't unloaded yet), it will get cleaned up by
181 // ExtensionGarbageCollector::GarbageCollectExtensions.
182 base::DeleteFile(extensions_dir
.AppendASCII(id
), true); // recursive.
185 scoped_refptr
<Extension
> LoadExtension(const base::FilePath
& extension_path
,
186 Manifest::Location location
,
188 std::string
* error
) {
189 return LoadExtension(extension_path
, std::string(), location
, flags
, error
);
192 scoped_refptr
<Extension
> LoadExtension(const base::FilePath
& extension_path
,
193 const std::string
& extension_id
,
194 Manifest::Location location
,
196 std::string
* error
) {
197 scoped_ptr
<base::DictionaryValue
> manifest(
198 LoadManifest(extension_path
, error
));
201 if (!extension_l10n_util::LocalizeExtension(
202 extension_path
, manifest
.get(), error
)) {
206 scoped_refptr
<Extension
> extension(Extension::Create(
207 extension_path
, location
, *manifest
, flags
, extension_id
, error
));
208 if (!extension
.get())
211 std::vector
<InstallWarning
> warnings
;
212 if (!ValidateExtension(extension
.get(), error
, &warnings
))
214 extension
->AddInstallWarnings(warnings
);
219 base::DictionaryValue
* LoadManifest(const base::FilePath
& extension_path
,
220 std::string
* error
) {
221 return LoadManifest(extension_path
, kManifestFilename
, error
);
224 base::DictionaryValue
* LoadManifest(
225 const base::FilePath
& extension_path
,
226 const base::FilePath::CharType
* manifest_filename
,
227 std::string
* error
) {
228 base::FilePath manifest_path
= extension_path
.Append(manifest_filename
);
229 if (!base::PathExists(manifest_path
)) {
230 *error
= l10n_util::GetStringUTF8(IDS_EXTENSION_MANIFEST_UNREADABLE
);
234 JSONFileValueDeserializer
deserializer(manifest_path
);
235 scoped_ptr
<base::Value
> root(deserializer
.Deserialize(NULL
, error
));
237 if (error
->empty()) {
238 // If |error| is empty, than the file could not be read.
239 // It would be cleaner to have the JSON reader give a specific error
240 // in this case, but other code tests for a file error with
241 // error->empty(). For now, be consistent.
242 *error
= l10n_util::GetStringUTF8(IDS_EXTENSION_MANIFEST_UNREADABLE
);
244 *error
= base::StringPrintf(
245 "%s %s", manifest_errors::kManifestParseError
, error
->c_str());
250 if (!root
->IsType(base::Value::TYPE_DICTIONARY
)) {
251 *error
= l10n_util::GetStringUTF8(IDS_EXTENSION_MANIFEST_INVALID
);
255 return static_cast<base::DictionaryValue
*>(root
.release());
258 bool ValidateExtension(const Extension
* extension
,
260 std::vector
<InstallWarning
>* warnings
) {
261 // Ask registered manifest handlers to validate their paths.
262 if (!ManifestHandler::ValidateExtension(extension
, error
, warnings
))
265 // Check children of extension root to see if any of them start with _ and is
266 // not on the reserved list. We only warn, and do not block the loading of the
269 if (!CheckForIllegalFilenames(extension
->path(), &warning
))
270 warnings
->push_back(InstallWarning(warning
));
272 // Check that the extension does not include any Windows reserved filenames.
273 std::string windows_reserved_warning
;
274 if (!CheckForWindowsReservedFilenames(extension
->path(),
275 &windows_reserved_warning
)) {
276 warnings
->push_back(InstallWarning(windows_reserved_warning
));
279 // Check that extensions don't include private key files.
280 std::vector
<base::FilePath
> private_keys
=
281 FindPrivateKeyFiles(extension
->path());
282 if (extension
->creation_flags() & Extension::ERROR_ON_PRIVATE_KEY
) {
283 if (!private_keys
.empty()) {
284 // Only print one of the private keys because l10n_util doesn't have a way
285 // to translate a list of strings.
287 l10n_util::GetStringFUTF8(IDS_EXTENSION_CONTAINS_PRIVATE_KEY
,
288 private_keys
.front().LossyDisplayName());
292 for (size_t i
= 0; i
< private_keys
.size(); ++i
) {
293 warnings
->push_back(InstallWarning(
294 l10n_util::GetStringFUTF8(IDS_EXTENSION_CONTAINS_PRIVATE_KEY
,
295 private_keys
[i
].LossyDisplayName())));
297 // Only warn; don't block loading the extension.
302 std::vector
<base::FilePath
> FindPrivateKeyFiles(
303 const base::FilePath
& extension_dir
) {
304 std::vector
<base::FilePath
> result
;
305 // Pattern matching only works at the root level, so filter manually.
306 base::FileEnumerator
traversal(
307 extension_dir
, /*recursive=*/true, base::FileEnumerator::FILES
);
308 for (base::FilePath current
= traversal
.Next(); !current
.empty();
309 current
= traversal
.Next()) {
310 if (!current
.MatchesExtension(kExtensionKeyFileExtension
))
313 std::string key_contents
;
314 if (!base::ReadFileToString(current
, &key_contents
)) {
315 // If we can't read the file, assume it's not a private key.
318 std::string key_bytes
;
319 if (!Extension::ParsePEMKeyBytes(key_contents
, &key_bytes
)) {
320 // If we can't parse the key, assume it's ok too.
324 result
.push_back(current
);
329 bool CheckForIllegalFilenames(const base::FilePath
& extension_path
,
330 std::string
* error
) {
331 // Reserved underscore names.
332 static const base::FilePath::CharType
* reserved_names
[] = {
333 kLocaleFolder
, kPlatformSpecificFolder
, FILE_PATH_LITERAL("__MACOSX"), };
334 CR_DEFINE_STATIC_LOCAL(
335 std::set
<base::FilePath::StringType
>,
336 reserved_underscore_names
,
337 (reserved_names
, reserved_names
+ arraysize(reserved_names
)));
339 // Enumerate all files and directories in the extension root.
340 // There is a problem when using pattern "_*" with FileEnumerator, so we have
341 // to cheat with find_first_of and match all.
342 const int kFilesAndDirectories
=
343 base::FileEnumerator::DIRECTORIES
| base::FileEnumerator::FILES
;
344 base::FileEnumerator
all_files(extension_path
, false, kFilesAndDirectories
);
347 while (!(file
= all_files
.Next()).empty()) {
348 base::FilePath::StringType filename
= file
.BaseName().value();
350 // Skip all that don't start with "_".
351 if (filename
.find_first_of(FILE_PATH_LITERAL("_")) != 0)
353 if (reserved_underscore_names
.find(filename
) ==
354 reserved_underscore_names
.end()) {
355 *error
= base::StringPrintf(
356 "Cannot load extension with file or directory name %s. "
357 "Filenames starting with \"_\" are reserved for use by the system.",
358 file
.BaseName().AsUTF8Unsafe().c_str());
366 bool CheckForWindowsReservedFilenames(const base::FilePath
& extension_dir
,
367 std::string
* error
) {
368 const int kFilesAndDirectories
=
369 base::FileEnumerator::DIRECTORIES
| base::FileEnumerator::FILES
;
370 base::FileEnumerator
traversal(extension_dir
, true, kFilesAndDirectories
);
372 for (base::FilePath current
= traversal
.Next(); !current
.empty();
373 current
= traversal
.Next()) {
374 base::FilePath::StringType filename
= current
.BaseName().value();
375 bool is_reserved_filename
= net::IsReservedNameOnWindows(filename
);
376 if (is_reserved_filename
) {
377 *error
= base::StringPrintf(
378 "Cannot load extension with file or directory name %s. "
379 "The filename is illegal.",
380 current
.BaseName().AsUTF8Unsafe().c_str());
388 base::FilePath
GetInstallTempDir(const base::FilePath
& extensions_dir
) {
389 // We do file IO in this function, but only when the current profile's
390 // Temp directory has never been used before, or in a rare error case.
391 // Developers are not likely to see these situations often, so do an
392 // explicit thread check.
393 base::ThreadRestrictions::AssertIOAllowed();
395 // Create the temp directory as a sub-directory of the Extensions directory.
396 // This guarantees it is on the same file system as the extension's eventual
398 base::FilePath temp_path
= extensions_dir
.Append(kTempDirectoryName
);
399 if (base::PathExists(temp_path
)) {
400 if (!base::DirectoryExists(temp_path
)) {
401 DLOG(WARNING
) << "Not a directory: " << temp_path
.value();
402 return base::FilePath();
404 if (!base::PathIsWritable(temp_path
)) {
405 DLOG(WARNING
) << "Can't write to path: " << temp_path
.value();
406 return base::FilePath();
408 // This is a directory we can write to.
412 // Directory doesn't exist, so create it.
413 if (!base::CreateDirectory(temp_path
)) {
414 DLOG(WARNING
) << "Couldn't create directory: " << temp_path
.value();
415 return base::FilePath();
420 void DeleteFile(const base::FilePath
& path
, bool recursive
) {
421 base::DeleteFile(path
, recursive
);
424 base::FilePath
ExtensionURLToRelativeFilePath(const GURL
& url
) {
425 std::string url_path
= url
.path();
426 if (url_path
.empty() || url_path
[0] != '/')
427 return base::FilePath();
429 // Drop the leading slashes and convert %-encoded UTF8 to regular UTF8.
430 std::string file_path
= net::UnescapeURLComponent(url_path
,
431 net::UnescapeRule::SPACES
| net::UnescapeRule::URL_SPECIAL_CHARS
);
432 size_t skip
= file_path
.find_first_not_of("/\\");
433 if (skip
!= file_path
.npos
)
434 file_path
= file_path
.substr(skip
);
436 base::FilePath path
= base::FilePath::FromUTF8Unsafe(file_path
);
438 // It's still possible for someone to construct an annoying URL whose path
439 // would still wind up not being considered relative at this point.
440 // For example: chrome-extension://id/c:////foo.html
441 if (path
.IsAbsolute())
442 return base::FilePath();
447 base::FilePath
ExtensionResourceURLToFilePath(const GURL
& url
,
448 const base::FilePath
& root
) {
449 std::string host
= net::UnescapeURLComponent(url
.host(),
450 net::UnescapeRule::SPACES
| net::UnescapeRule::URL_SPECIAL_CHARS
);
452 return base::FilePath();
454 base::FilePath relative_path
= ExtensionURLToRelativeFilePath(url
);
455 if (relative_path
.empty())
456 return base::FilePath();
458 base::FilePath path
= root
.AppendASCII(host
).Append(relative_path
);
459 if (!base::PathExists(path
))
460 return base::FilePath();
461 path
= base::MakeAbsoluteFilePath(path
);
462 if (path
.empty() || !root
.IsParent(path
))
463 return base::FilePath();
467 bool ValidateExtensionIconSet(const ExtensionIconSet
& icon_set
,
468 const Extension
* extension
,
469 int error_message_id
,
470 std::string
* error
) {
471 for (ExtensionIconSet::IconMap::const_iterator iter
= icon_set
.map().begin();
472 iter
!= icon_set
.map().end();
474 const base::FilePath path
=
475 extension
->GetResource(iter
->second
).GetFilePath();
476 if (!ValidateFilePath(path
)) {
477 *error
= l10n_util::GetStringFUTF8(error_message_id
,
478 base::UTF8ToUTF16(iter
->second
));
485 MessageBundle
* LoadMessageBundle(
486 const base::FilePath
& extension_path
,
487 const std::string
& default_locale
,
488 std::string
* error
) {
490 // Load locale information if available.
491 base::FilePath locale_path
= extension_path
.Append(kLocaleFolder
);
492 if (!base::PathExists(locale_path
))
495 std::set
<std::string
> chrome_locales
;
496 extension_l10n_util::GetAllLocales(&chrome_locales
);
498 base::FilePath default_locale_path
= locale_path
.AppendASCII(default_locale
);
499 if (default_locale
.empty() ||
500 chrome_locales
.find(default_locale
) == chrome_locales
.end() ||
501 !base::PathExists(default_locale_path
)) {
502 *error
= l10n_util::GetStringUTF8(
503 IDS_EXTENSION_LOCALES_NO_DEFAULT_LOCALE_SPECIFIED
);
507 MessageBundle
* message_bundle
=
508 extension_l10n_util::LoadMessageCatalogs(
511 extension_l10n_util::CurrentLocaleOrDefault(),
514 return message_bundle
;
517 MessageBundle::SubstitutionMap
* LoadMessageBundleSubstitutionMap(
518 const base::FilePath
& extension_path
,
519 const std::string
& extension_id
,
520 const std::string
& default_locale
) {
521 MessageBundle::SubstitutionMap
* return_value
=
522 new MessageBundle::SubstitutionMap();
523 if (!default_locale
.empty()) {
524 // Touch disk only if extension is localized.
526 scoped_ptr
<MessageBundle
> bundle(
527 LoadMessageBundle(extension_path
, default_locale
, &error
));
530 *return_value
= *bundle
->dictionary();
533 // Add @@extension_id reserved message here, so it's available to
534 // non-localized extensions too.
535 return_value
->insert(
536 std::make_pair(MessageBundle::kExtensionIdKey
, extension_id
));
541 MessageBundle::SubstitutionMap
* LoadMessageBundleSubstitutionMapWithImports(
542 const std::string
& extension_id
,
543 const ExtensionSet
& extension_set
) {
544 const Extension
* extension
= extension_set
.GetByID(extension_id
);
545 MessageBundle::SubstitutionMap
* return_value
=
546 new MessageBundle::SubstitutionMap();
548 // Add @@extension_id reserved message here, so it's available to
549 // non-localized extensions too.
550 return_value
->insert(
551 std::make_pair(MessageBundle::kExtensionIdKey
, extension_id
));
553 base::FilePath extension_path
;
554 std::string default_locale
;
556 NOTREACHED() << "Missing extension " << extension_id
;
560 // Touch disk only if extension is localized.
561 default_locale
= LocaleInfo::GetDefaultLocale(extension
);
562 if (default_locale
.empty()) {
567 scoped_ptr
<MessageBundle
> bundle(
568 LoadMessageBundle(extension
->path(), default_locale
, &error
));
571 for (auto iter
: *bundle
->dictionary()) {
572 return_value
->insert(std::make_pair(iter
.first
, iter
.second
));
576 auto imports
= extensions::SharedModuleInfo::GetImports(extension
);
577 // Iterate through the imports in reverse. This will allow later imported
578 // modules to override earlier imported modules, as the list order is
579 // maintained from the definition in manifest.json of the imports.
580 for (auto it
= imports
.rbegin(); it
!= imports
.rend(); ++it
) {
581 const extensions::Extension
* imported_extension
=
582 extension_set
.GetByID(it
->extension_id
);
583 if (!imported_extension
) {
584 NOTREACHED() << "Missing shared module " << it
->extension_id
;
587 scoped_ptr
<MessageBundle
> imported_bundle(
588 LoadMessageBundle(imported_extension
->path(), default_locale
, &error
));
590 if (imported_bundle
.get()) {
591 for (auto iter
: *imported_bundle
->dictionary()) {
592 // |insert| only adds new entries, and does not replace entries in
593 // the main extension or previously processed imports.
594 return_value
->insert(std::make_pair(iter
.first
, iter
.second
));
602 base::FilePath
GetVerifiedContentsPath(const base::FilePath
& extension_path
) {
603 return extension_path
.Append(kMetadataFolder
)
604 .Append(kVerifiedContentsFilename
);
606 base::FilePath
GetComputedHashesPath(const base::FilePath
& extension_path
) {
607 return extension_path
.Append(kMetadataFolder
).Append(kComputedHashesFilename
);
610 } // namespace file_util
611 } // namespace extensions