| blob | 907c7c4f0998947e2c91a41dbbc1f29e75d7de88 |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
5 // Detecting mime types is a tricky business because we need to balance
6 // compatibility concerns with security issues. Here is a survey of how other
7 // browsers behave and then a description of how we intend to behave.
8 //
9 // HTML payload, no Content-Type header:
10 // * IE 7: Render as HTML
11 // * Firefox 2: Render as HTML
12 // * Safari 3: Render as HTML
13 // * Opera 9: Render as HTML
14 //
15 // Here the choice seems clear:
16 // => Chrome: Render as HTML
17 //
18 // HTML payload, Content-Type: "text/plain":
19 // * IE 7: Render as HTML
20 // * Firefox 2: Render as text
21 // * Safari 3: Render as text (Note: Safari will Render as HTML if the URL
22 // has an HTML extension)
23 // * Opera 9: Render as text
24 //
25 // Here we choose to follow the majority (and break some compatibility with IE).
26 // Many folks dislike IE's behavior here.
27 // => Chrome: Render as text
28 // We generalize this as follows. If the Content-Type header is text/plain
29 // we won't detect dangerous mime types (those that can execute script).
30 //
31 // HTML payload, Content-Type: "application/octet-stream":
32 // * IE 7: Render as HTML
33 // * Firefox 2: Download as application/octet-stream
34 // * Safari 3: Render as HTML
35 // * Opera 9: Render as HTML
36 //
37 // We follow Firefox.
38 // => Chrome: Download as application/octet-stream
39 // One factor in this decision is that IIS 4 and 5 will send
40 // application/octet-stream for .xhtml files (because they don't recognize
41 // the extension). We did some experiments and it looks like this doesn't occur
42 // very often on the web. We choose the more secure option.
43 //
44 // GIF payload, no Content-Type header:
45 // * IE 7: Render as GIF
46 // * Firefox 2: Render as GIF
47 // * Safari 3: Download as Unknown (Note: Safari will Render as GIF if the
48 // URL has an GIF extension)
49 // * Opera 9: Render as GIF
50 //
51 // The choice is clear.
52 // => Chrome: Render as GIF
53 // Once we decide to render HTML without a Content-Type header, there isn't much
54 // reason not to render GIFs.
55 //
56 // GIF payload, Content-Type: "text/plain":
57 // * IE 7: Render as GIF
58 // * Firefox 2: Download as application/octet-stream (Note: Firefox will
59 // Download as GIF if the URL has an GIF extension)
60 // * Safari 3: Download as Unknown (Note: Safari will Render as GIF if the
61 // URL has an GIF extension)
62 // * Opera 9: Render as GIF
63 //
64 // Displaying as text/plain makes little sense as the content will look like
65 // gibberish. Here, we could change our minds and download.
66 // => Chrome: Render as GIF
67 //
68 // GIF payload, Content-Type: "application/octet-stream":
69 // * IE 7: Render as GIF
70 // * Firefox 2: Download as application/octet-stream (Note: Firefox will
71 // Download as GIF if the URL has an GIF extension)
72 // * Safari 3: Download as Unknown (Note: Safari will Render as GIF if the
73 // URL has an GIF extension)
74 // * Opera 9: Render as GIF
75 //
76 // We used to render as GIF here, but the problem is that some sites want to
77 // trigger downloads by sending application/octet-stream (even though they
78 // should be sending Content-Disposition: attachment). Although it is safe
79 // to render as GIF from a security perspective, we actually get better
80 // compatibility if we don't sniff from application/octet stream at all.
81 // => Chrome: Download as application/octet-stream
82 //
83 // XHTML payload, Content-Type: "text/xml":
84 // * IE 7: Render as XML
85 // * Firefox 2: Render as HTML
86 // * Safari 3: Render as HTML
87 // * Opera 9: Render as HTML
88 // The layout tests rely on us rendering this as HTML.
89 // But we're conservative in XHTML detection, as this runs afoul of the
90 // "don't detect dangerous mime types" rule.
91 //
92 // Note that our definition of HTML payload is much stricter than IE's
93 // definition and roughly the same as Firefox's definition.
95 #include <stdint.h>
96 #include <string>
107 // The number of content bytes we need to use all our magic numbers. Feel free
108 // to increase this number if you add a longer magic number.
117 };
119 #define MAGIC_NUMBER(mime_type, magic) \
120 { (mime_type), (magic), sizeof(magic)-1, false, NULL },
128 };
130 #define verified_sizeof(magic, mask) \
131 VerifySizes<sizeof(magic), sizeof(mask)>::SIZES
133 #define MAGIC_MASK(mime_type, magic, mask) \
134 { (mime_type), (magic), verified_sizeof(magic, mask)-1, false, (mask) },
136 // Magic strings are case insensitive and must not include '\0' characters
137 #define MAGIC_STRING(mime_type, magic) \
138 { (mime_type), (magic), sizeof(magic)-1, true, NULL },
141 // Source: HTML 5 specification
149 // Source: Mozilla
154 // Chrome specific
169 // Sniffing for Flash:
170 //
171 // MAGIC_NUMBER("application/x-shockwave-flash", "CWS")
172 // MAGIC_NUMBER("application/x-shockwave-flash", "FLV")
173 // MAGIC_NUMBER("application/x-shockwave-flash", "FWS")
174 //
175 // Including these magic number for Flash is a trade off.
176 //
177 // Pros:
178 // * Flash is an important and popular file format
179 //
180 // Cons:
181 // * These patterns are fairly weak
182 // * If we mistakenly decide something is Flash, we will execute it
183 // in the origin of an unsuspecting site. This could be a security
184 // vulnerability if the site allows users to upload content.
185 //
186 // On balance, we do not include these patterns.
187 };
189 // The number of content bytes we need to use all our Microsoft Office magic
190 // numbers.
196 };
199 DOC_TYPE_WORD,
200 DOC_TYPE_EXCEL,
201 DOC_TYPE_POWERPOINT,
202 DOC_TYPE_NONE
203 };
206 OfficeDocType doc_type;
209 };
211 #define OFFICE_EXTENSION(type, extension) \
212 { (type), (extension), sizeof(extension) - 1 },
221 };
241 // RAW image types.
255 };
257 // Our HTML sniffer differs slightly from Mozilla. For example, Mozilla will
258 // decide that a document that begins "<!DOCTYPE SOAP-ENV:Envelope PUBLIC " is
259 // HTML, but we will not.
261 #define MAGIC_HTML_TAG(tag) \
265 // XML processing directive. Although this is not an HTML mime type, we sniff
266 // for this in the HTML phase because text/xml is just as powerful as HTML and
267 // we want to leverage our white space skipping technology.
269 // DOCTYPEs
271 // Sniffable tags, ordered by how often they occur in sniffable documents.
288 };
296 }
298 // Compare content header to a magic number where magic_entry can contain '.'
299 // for single character of anything, allowing some bytes to be skipped.
307 }
309 }
311 // Like MagicCmp() except that it ANDs each byte with a mask before
312 // the comparison, because there are some bits we don't care about.
324 }
326 }
334 // Keep kBytesRequiredForMagic honest.
337 // To compare with magic strings, we need to compute strlen(content), but
338 // content might not actually have a null terminator. In that case, we
339 // pretend the length is content_size.
347 // String comparisons are case-insensitive
349 }
356 }
357 }
358 }
363 }
365 }
375 }
376 }
378 }
380 // Truncates |size| to |max_size| and returns true if |size| is at least
381 // |max_size|.
383 // Keep kMaxBytesToSniff honest.
389 }
391 }
393 // Returns true and sets result if the content appears to be HTML.
394 // Clears have_enough_content if more data could possibly change the result.
399 // For HTML, we are willing to consider up to 512 bytes. This may be overly
400 // conservative as IE only considers 256.
403 // We adopt a strategy similar to that used by Mozilla to sniff HTML tags,
404 // but with some modifications to better match the HTML5 spec.
410 }
415 }
416 // |pos| now points to first non-whitespace character (or at end).
420 }
422 // Returns true and sets result if the content matches any of kMagicNumbers.
423 // Clears have_enough_content if more data could possibly change the result.
430 // Check our big table of Magic Numbers
435 }
439 }
441 // Returns true and sets result if the content matches any of
442 // kOfficeMagicNumbers, and the URL has the proper extension.
443 // Clears |have_enough_content| if more data could possibly change the result.
451 // Check our table of magic numbers for Office file types.
472 }
473 }
492 }
510 }
511 }
515 }
536 }
538 // This function checks for files that have a Microsoft Office MIME type
539 // set, but are not actually Office files.
540 //
541 // If this is not actually an Office file, |*result| is set to
542 // "application/octet-stream", otherwise it is not modified.
543 //
544 // Returns false if additional data is required to determine the file type, or
545 // true if there is enough data to make a decision.
553 // Check our table of magic numbers for Office file types. If it does not
554 // match one, the MIME type was invalid. Set it instead to a safe value.
560 }
562 // We have enough information to determine if this was a Microsoft Office
563 // document or not, so sniffing is completed.
565 }
567 // Byte order marks
569 // We want to be very conservative in interpreting text/xml content as
570 // XHTML -- we just want to sniff enough to make unit tests pass.
571 // So we match explicitly on this, and don't match other ways of writing
572 // it in semantically-equivalent ways.
577 };
579 // Returns true and sets result if the content appears to contain XHTML or a
580 // feed.
581 // Clears have_enough_content if more data could possibly change the result.
582 //
583 // TODO(evanm): this is similar but more conservative than what Safari does,
584 // while HTML5 has a different recommendation -- what should we do?
585 // TODO(evanm): this is incorrect for documents whose encoding isn't a superset
586 // of ASCII -- do we care?
591 // We allow at most 300 bytes of content before we expect the opening tag.
596 // This loop iterates through tag-looking offsets in the file.
597 // We want to skip XML processing instructions (of the form "<?xml ...")
598 // and stop at the first "plain" tag, then make a decision on the mime-type
599 // based on the name (or possibly attributes) of that tag.
604 }
613 // Skip XML declarations.
619 // Skip DOCTYPE declarations.
622 }
629 // TODO(evanm): handle RSS 1.0, which is an RDF format and more difficult
630 // to identify.
632 // If we get here, we've hit an initial tag that hasn't matched one of the
633 // above tests. Abort.
635 }
637 // We iterated too far without finding a start tag.
638 // If we have more content to look at, we aren't going to change our mind by
639 // seeing more bytes from the network.
641 }
643 // Byte order marks
648 };
650 // Returns true and sets result to "application/octet-stream" if the content
651 // appears to be binary data. Otherwise, returns false and sets "text/plain".
652 // Clears have_enough_content if more data could possibly change the result.
657 // There is no concensus about exactly how to sniff for binary content.
658 // * IE 7: Don't sniff for binary looking bytes, but trust the file extension.
659 // * Firefox 3.5: Sniff first 4096 bytes for a binary looking byte.
660 // Here, we side with FF, but with a smaller buffer. This size was chosen
661 // because it is small enough to comfortably fit into a single packet (after
662 // allowing for headers) and yet large enough to account for binary formats
663 // that have a significant amount of ASCII at the beginning (crbug.com/15314).
666 // First, we look for a BOM.
671 }
676 // If there is BOM, we think the buffer is not binary.
679 }
681 // Next we look to see if any of the bytes "look binary."
685 }
687 // No evidence either way. Default to non-binary and, if truncated, clear
688 // have_enough_content because there could be a binary looking byte in the
689 // truncated data.
693 }
696 // TODO(tc): Maybe reuse some code in net/http/http_response_headers.* here.
697 // If we do, please be careful not to alter the semantics at all.
699 // Empty mime types are as unknown as they get.
701 // The unknown/unknown type is popular and uninformative
703 // The second most popular unknown mime type is application/unknown
705 // Firefox rejects a mime type if it is exactly */*
707 };
712 }
717 }
718 }
720 // Firefox rejects a mime type if it does not contain a slash
723 }
725 }
727 // Returns true and sets result if the content appears to be a crx (Chrome
728 // extension) file.
729 // Clears have_enough_content if more data could possibly change the result.
740 // Technically, the crx magic number is just Cr24, but the bytes after that
741 // are a version number which changes infrequently. Including it in the
742 // sniffing gives us less room for error. If the version number ever changes,
743 // we can just add an entry to this list.
744 //
745 // TODO(aa): If we ever have another magic number, we'll want to pass a
746 // histogram into CheckForMagicNumbers(), below, to see which one matched.
749 };
751 // Only consider files that have the extension ".crx".
753 // Ignore null by subtracting 1.
760 }
769 }
772 }
777 should_sniff_counter =
779 }
783 #if defined(OS_ANDROID)
785 #endif
791 }
794 // Many web servers are misconfigured to send text/plain for many
795 // different types of content.
797 // We want to sniff application/octet-stream for
798 // application/x-chrome-extension, but nothing else.
800 // XHTML and Atom/RSS feeds are often served as plain xml instead of
801 // their more specific mime types.
804 // Check for false Microsoft Office MIME types.
819 };
824 }
830 }
831 }
833 // The web server didn't specify a content type or specified a mime
834 // type that we ignore.
838 }
841 }
852 // By default, we assume we have enough content.
853 // Each sniff routine may unset this if it wasn't provided enough content.
856 // By default, we'll return the type hint.
857 // Each sniff routine may modify this if it has a better guess..
860 // If the file has a Microsoft Office MIME type, we should only check that it
861 // is a valid Office file. Because this is the only reason we sniff files
862 // with a Microsoft Office MIME type, we can return early.
866 // Cache information about the type_hint
869 // First check for HTML
871 // We're only willing to sniff HTML if the server has not supplied a mime
872 // type, or if the type it did supply indicates that it doesn't know what
873 // the type should be.
876 }
878 // We're only willing to sniff for binary in 3 cases:
879 // 1. The server has not supplied a mime type.
880 // 2. The type it did supply indicates that it doesn't know what the type
881 // should be.
882 // 3. The type is "text/plain" which is the default on some web servers and
883 // could be indicative of a mis-configuration that we shield the user from.
887 // If the server said the content was text/plain and it doesn't appear
888 // to be binary, then we trust it.
891 }
892 }
893 }
895 // If we have plain XML, sniff XML subtypes.
897 // We're not interested in sniffing these types for images and the like.
898 // Instead, we're looking explicitly for a feed. If we don't find one
899 // we're done and return early.
903 }
905 // CRX files (Chrome extensions) have a special sniffing algorithm. It is
906 // tighter than the others because we don't have to match legacy behavior.
911 // Check the file extension and magic numbers to see if this is an Office
912 // document. This needs to be checked before the general magic numbers
913 // because zip files and Office documents (OOXML) have the same magic number.
918 // We're not interested in sniffing for magic numbers when the type_hint
919 // is application/octet-stream. Time to bail out.
923 // Now we look in our large table of magic numbers to see if we can find
924 // anything that matches the content.
930 }
935 // First check the extra table.
939 // Finally check the original table.
942 }
945 // The definition of "binary bytes" is from the spec at
946 // https://mimesniff.spec.whatwg.org/#binary-data-byte
947 //
948 // The bytes which are considered to be "binary" are all < 0x20. Encode them
949 // one bit per byte, with 1 for a "binary" bit, and 0 for a "text" bit. The
950 // least-significant bit represents byte 0x00, the most-significant bit
951 // represents byte 0x1F.
958 }
960 }