Only grant permissions to new extensions from sync if they have the expected version
[chromium-blink-merge.git] / chrome / browser / download / download_extensions.cc
blob22fcff0de6cb45921c5c0214d053c6fb8cfecc06
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 #include <set>
6 #include <string>
8 #include "chrome/browser/download/download_extensions.h"
10 #include "base/strings/string_util.h"
11 #include "base/strings/utf_string_conversions.h"
12 #include "net/base/mime_util.h"
13 #include "net/base/net_util.h"
15 namespace download_util {
17 namespace {
19 enum DownloadAutoOpenHint {
20 ALLOW_AUTO_OPEN,
22 // The file type should not be allowed to open automatically.
24 // Criteria for disallowing a file type from opening automatically:
26 // Includes file types that upon opening may either:
27 // * ... execute arbitrary or harmful code with user privileges.
28 // * ... change configuration of the system to cause harmful behavior
29 // immediately or at some time in the future.
31 // Doesn't include file types that upon opening:
32 // * ... sufficiently warn the user about the fact that:
33 // - This file was downloaded from the internet.
34 // - Opening it can make specified changes to the system.
35 // (Note that any such warnings need to be displayed prior to the harmful
36 // logic being executed).
37 // * ... does nothing particularly dangerous, despite the act of downloading
38 // itself being dangerous (E.g. .local and .manifest files).
39 DISALLOW_AUTO_OPEN,
42 // Guidelines for adding a new dangerous file type:
44 // * Include a comment above the file type that:
45 // - Describes the file type.
46 // - Justifies why it is considered dangerous if this isn't obvious from the
47 // description.
48 // - Justifies why the file type is disallowed from auto opening, if
49 // necessary.
50 // * Add the file extension to the kDangerousFileTypes array in
51 // download_stats.cc.
53 // TODO(asanka): All file types listed below should have descriptions.
54 const struct FileType {
55 const char* extension; // Extension sans leading extension separator.
56 DownloadDangerLevel danger_level;
57 DownloadAutoOpenHint auto_open_hint;
58 } kDownloadFileTypes[] = {
59 // Some files are dangerous on all platforms.
61 // Flash files downloaded locally can sometimes access the local filesystem.
62 {"swf", DANGEROUS, DISALLOW_AUTO_OPEN},
63 {"spl", DANGEROUS, DISALLOW_AUTO_OPEN},
65 // Chrome extensions should be obtained through the web store. Allowed to
66 // open automatically because Chrome displays a prompt prior to
67 // installation.
68 {"crx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
70 // Windows, all file categories. The list is in alphabetical order of
71 // extensions. Exceptions are made for logical groupings of file types.
73 // Some file descriptions are based on
74 // https://support.office.com/article/Blocked-attachments-in-Outlook-3811cddc-17c3-4279-a30c-060ba0207372
75 #if defined(OS_WIN)
76 {"ad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
78 // Microsoft Access related.
79 {"ade", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Project extension
80 {"adp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Project.
81 {"mad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Module Shortcut.
82 {"maf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
83 {"mag", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Diagram Shortcut.
84 {"mam", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Macro Shortcut.
85 {"maq", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Query Shortcut.
86 {"mar", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Report Shortcut.
87 {"mas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Stored Procedures.
88 {"mat", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Table Shortcut.
89 {"mav", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // View Shortcut.
90 {"maw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Data Access Page.
91 {"mda", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Access Add-in.
92 {"mdb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Database.
93 {"mde", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Database.
94 {"mdt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Add-in Data.
95 {"mdw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Workgroup Information.
96 {"mdz", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Wizard Template.
98 // Executable Application.
99 {"app", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
101 // Microsoft ClickOnce depolyment manifest. By default, opens with
102 // dfshim.dll which should prompt the user before running untrusted code.
103 {"application", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
104 // ClickOnce application reference. Basically a .lnk for ClickOnce apps.
105 {"appref-ms", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
107 // Active Server Pages source file.
108 {"asp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
110 // Advanced Stream Redirector. Contains a playlist of media files.
111 {"asx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
113 // Microsoft Visual Basic source file. Opens by default in an editor.
114 {"bas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
116 // Command script.
117 {"bat", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
119 {"cfg", DANGEROUS, ALLOW_AUTO_OPEN},
121 // Windows Compiled HTML Help files.
122 {"chi", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
123 {"chm", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
125 // Command script.
126 {"cmd", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
128 // Windows legacy executable.
129 {"com", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
131 // Control panel tool. Executable.
132 {"cpl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
134 // Signed certificate file.
135 {"crt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
137 // Windows executables.
138 {"dll", DANGEROUS, DISALLOW_AUTO_OPEN},
139 {"drv", DANGEROUS, DISALLOW_AUTO_OPEN},
140 {"exe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
142 // Font file, uses Portable Executable or New Executable format. Not
143 // supposed to contain executable code.
144 {"fon", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
146 // Microsoft FoxPro Compiled Source.
147 {"fxp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
149 // Windows Sidebar Gadget (Vista & Win 7). ZIP archive containing html + js.
150 // Deprecated by Microsoft. Can run arbitrary code with user privileges.
151 // (https://technet.microsoft.com/library/security/2719662)
152 {"gadget", DANGEROUS, DISALLOW_AUTO_OPEN},
154 // MSProgramGroup (?).
155 {"grp", DANGEROUS, ALLOW_AUTO_OPEN},
157 // Windows legacy help file format.
158 {"hlp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
160 // HTML Application. Executes as a fully trusted application.
161 {"hta", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
163 // Hypertext Template File. See https://support.microsoft.com/kb/181689.
164 {"htt", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
166 // Device installation information.
167 {"inf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
169 // Generic configuration file.
170 {"ini", DANGEROUS, ALLOW_AUTO_OPEN},
172 // Microsoft IIS Internet Communication Settings.
173 {"ins", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
175 // Microsoft IIS Internet Service Provider Settings.
176 {"isp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
178 // JavaScript file. May open using Windows Script Host with user level
179 // privileges.
180 {"js", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
182 // JScript encoded script file. Usually produced by running Microsoft Script
183 // Encoder over a .js file.
184 // See https://msdn.microsoft.com/library/d14c8zsc.aspx
185 {"jse", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
187 // Shortcuts. May open anything.
188 {"lnk", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
190 // .local files affect DLL search path for .exe file with same base name.
191 {"local", DANGEROUS, ALLOW_AUTO_OPEN},
193 // While being a generic name, having a .manifest file with the same
194 // basename as .exe file (foo.exe + foo.exe.manifest) changes the dll search
195 // order for the .exe file. Downloading this kind of file to the users'
196 // download directory is almost always the wrong thing to do.
197 {"manifest", DANGEROUS, ALLOW_AUTO_OPEN},
199 // Media Attachment Unit.
200 {"mau", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
202 // Multipart HTML.
203 {"mht", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
204 {"mhtml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
206 {"mmc", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
207 {"mof", DANGEROUS, ALLOW_AUTO_OPEN},
209 // Microsoft Management Console Snap-in. Contains executable code.
210 {"msc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
212 // Microsoft Shell.
213 {"msh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
214 {"msh1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
215 {"msh2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
216 {"mshxml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
217 {"msh1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
218 {"msh2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
220 // Windows Installer.
221 {"msi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
222 {"msp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
223 {"mst", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
225 // ActiveX Control.
226 {"ocx", DANGEROUS, DISALLOW_AUTO_OPEN},
228 // Microsoft Office Profile Settings File.
229 {"ops", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
231 // Microsoft Visual Test.
232 {"pcd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
234 // Program Information File. Originally intended to configure execution
235 // environment for legacy DOS files. They aren't meant to contain executable
236 // code. But Windows may execute a PIF file that is sniffed as a PE file.
237 {"pif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
239 // Developer Studio Build Log.
240 {"plg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
242 // Windows System File.
243 {"prf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
245 // Program File.
246 {"prg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
248 // Microsoft Exchange Address Book File. Microsoft Outlook Personal Folder
249 // File.
250 {"pst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
252 // Microsoft Windows PowerShell.
253 {"ps1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
254 {"ps1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
255 {"ps2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
256 {"ps2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
257 {"psc1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
258 {"psc2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
260 // Registry file. Opening may cause registry settings to change. Users still
261 // need to click through a prompt. So we could consider relaxing the
262 // DISALLOW_AUTO_OPEN restriction.
263 {"reg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
265 // Microsoft Windows Explorer Command.
266 // See https://support.microsoft.com/kb/190355 for an example.
267 {"scf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
269 // Microsoft Windows Screen Saver.
270 {"scr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
272 // Microsoft Windows Script Component. Microsoft FoxPro Screen.
273 // A Script Component is a COM component created using script.
274 // See https://msdn.microsoft.com/library/aa233148.aspx for an example.
275 {"sct", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
277 // Microsoft Windows Shortcut into a document.
278 // See https://support.microsoft.com/kb/212344
279 {"shb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
281 // Shell Scrap Object File.
282 {"shs", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
284 // System executable. Windows tries hard to prevent you from opening these
285 // types of files.
286 {"sys", DANGEROUS, DISALLOW_AUTO_OPEN},
288 // Internet Shortcut (new since IE9). Both .url and .website are .ini files
289 // that describe a shortcut that points to a URL. They can point at
290 // anything. Dropping a download of this type and opening it automatically
291 // can in effect sidestep origin restrictions etc.
292 {"url", DANGEROUS, DISALLOW_AUTO_OPEN},
293 {"website", DANGEROUS, DISALLOW_AUTO_OPEN},
295 // VBScript files. My open with Windows Script Host and execute with user
296 // privileges.
297 {"vb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
298 {"vbe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
299 {"vbs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
301 {"vsd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
303 // Microsoft Visual Studio Binary-based Macro Project.
304 {"vsmacros", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
306 {"vss", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
307 {"vst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
309 // Microsoft Visio Workspace.
310 {"vsw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
312 // Windows Script Host related.
313 {"ws", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
314 {"wsc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
315 {"wsf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
316 {"wsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
318 // XAML Browser Application.
319 {"xbap", DANGEROUS, DISALLOW_AUTO_OPEN},
321 // Microsoft Exchange Public Folder Shortcut.
322 {"xnk", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
323 #endif // OS_WIN
325 // Java.
326 #if !defined(OS_CHROMEOS)
327 {"class", DANGEROUS, DISALLOW_AUTO_OPEN},
328 {"jar", DANGEROUS, DISALLOW_AUTO_OPEN},
329 {"jnlp", DANGEROUS, DISALLOW_AUTO_OPEN},
330 #endif
332 #if !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
333 // Scripting languages. (Shells are handled below.)
334 {"pl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
335 {"py", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
336 {"pyc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
337 {"pyw", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
338 {"rb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
340 // Extensible Firmware Interface executable.
341 {"efi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
342 #endif
344 // Shell languages. (OS_ANDROID is OS_POSIX.) OS_WIN shells are handled above.
345 #if defined(OS_POSIX)
346 {"bash", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
347 {"csh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
348 {"ksh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
349 {"sh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
350 {"shar", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
351 {"tcsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
352 #endif
353 #if defined(OS_MACOSX)
354 {"command", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
355 #endif
357 // Package management formats. OS_WIN package formats are handled above.
358 #if defined(OS_MACOSX) || defined(OS_LINUX)
359 {"pkg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
360 #endif
361 #if defined(OS_LINUX)
362 {"deb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
363 {"rpm", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
364 #endif
365 #if defined(OS_ANDROID)
366 {"dex", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
367 #endif
370 // FileType for files with an empty extension.
371 const FileType kEmptyFileType = {nullptr, NOT_DANGEROUS, DISALLOW_AUTO_OPEN};
373 // Default FileType for non-empty extensions that aren't in the list above.
374 const FileType kUnknownFileType = {nullptr, NOT_DANGEROUS, ALLOW_AUTO_OPEN};
376 const FileType& GetFileType(const base::FilePath& path) {
377 base::FilePath::StringType extension(path.FinalExtension());
378 if (extension.empty())
379 return kEmptyFileType;
380 if (!base::IsStringASCII(extension))
381 return kUnknownFileType;
382 #if defined(OS_WIN)
383 std::string ascii_extension = base::UTF16ToASCII(extension);
384 #elif defined(OS_POSIX)
385 std::string ascii_extension = extension;
386 #endif
388 // Strip out leading dot if it's still there
389 if (ascii_extension[0] == base::FilePath::kExtensionSeparator)
390 ascii_extension.erase(0, 1);
392 for (const auto& file_type : kDownloadFileTypes) {
393 if (base::LowerCaseEqualsASCII(ascii_extension, file_type.extension))
394 return file_type;
397 return kUnknownFileType;
400 } // namespace
402 DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
403 return GetFileType(path).danger_level;
406 bool IsAllowedToOpenAutomatically(const base::FilePath& path) {
407 return GetFileType(path).auto_open_hint == ALLOW_AUTO_OPEN;
410 } // namespace download_util