Force update checks to use SSL for store-hosted extensions/apps.

chrome/browser/extensions/updater/extension_downloader.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/extensions/updater/extension_downloader.h"
 
 #include <utility>
 
 #include "base/bind.h"
 #include "base/command_line.h"
@@ skipping 132 matching lines @@
     return false;
   }
 
   // If the extension updates itself from the gallery, ignore any update URL
   // data.  At the moment there is no extra data that an extension can
   // communicate to the the gallery update servers.
   std::string update_url_data;
   if (!extension.UpdatesFromGallery())
     update_url_data = delegate_->GetUpdateUrlData(extension.id());
 
+  // Make sure we use SSL for store-hosted extensions.
+  GURL update_url = extension.update_url();
+  if (extension.UpdatesFromGallery() && !update_url.SchemeIsSecure())
+    update_url = extension_urls::GetWebstoreUpdateUrl();
+
   return AddExtensionData(extension.id(), *extension.version(),
-                          extension.GetType(), extension.update_url(),
+                          extension.GetType(), update_url,
                           update_url_data);
 }
 
 bool ExtensionDownloader::AddPendingExtension(const std::string& id,
                                               const GURL& update_url) {
   // Use a zero version to ensure that a pending extension will always
   // be updated, and thus installed (assuming all extensions have
   // non-zero versions).
   Version version("0.0.0.0");
   DCHECK(version.IsValid());
@@ skipping 15 matching lines @@
   fetches_preparing_.clear();
 }
 
 void ExtensionDownloader::StartBlacklistUpdate(
     const std::string& version,
    const ManifestFetchData::PingData& ping_data) {
   // Note: it is very important that we use the https version of the update
   // url here to avoid DNS hijacking of the blacklist, which is not validated
   // by a public key signature like .crx files are.
   ManifestFetchData* blacklist_fetch =
-      new ManifestFetchData(extension_urls::GetWebstoreUpdateUrl(true));
+      new ManifestFetchData(extension_urls::GetWebstoreUpdateUrl());
+  DCHECK(blacklist_fetch->base_url().SchemeIsSecure());
   blacklist_fetch->AddExtension(kBlacklistAppID, version, &ping_data, "",
                                 kDefaultInstallSource);
   StartUpdateCheck(blacklist_fetch);
 }
 
 bool ExtensionDownloader::AddExtensionData(const std::string& id,
                                            const Version& version,
                                            Extension::Type extension_type,
                                            GURL update_url,
                                            const std::string& update_url_data) {
   // Skip extensions with non-empty invalid update URLs.
   if (!update_url.is_empty() && !update_url.is_valid()) {
     LOG(WARNING) << "Extension " << id << " has invalid update url "
                  << update_url;
     return false;
   }
 
+  // Double-check that we're using https for webstore urls.
+  if (extension_urls::IsWebstoreUpdateUrl(update_url) &&
+      !update_url.SchemeIsSecure() &&
+      extension_urls::GetWebstoreUpdateUrl().SchemeIsSecure()) {
+    NOTREACHED() << "Refusing to send non-secure update check for " << id
+                 << " (" << update_url.spec() << ")";
+    return false;
+  }
+
   // Skip extensions with empty IDs.
   if (id.empty()) {
     LOG(WARNING) << "Found extension with empty ID";
     return false;
   }
 
   if (update_url.DomainIs("google.com")) {
     url_stats_.google_url_count++;
   } else if (update_url.is_empty()) {
     url_stats_.no_url_count++;
     // Fill in default update URL.
-    //
-    // TODO(akalin): Figure out if we should use the HTTPS version.
-    update_url = extension_urls::GetWebstoreUpdateUrl(false);
+    update_url = extension_urls::GetWebstoreUpdateUrl();
   } else {
     url_stats_.other_url_count++;
   }
 
   switch (extension_type) {
     case Extension::TYPE_THEME:
       ++url_stats_.theme_count;
       break;
     case Extension::TYPE_EXTENSION:
     case Extension::TYPE_USER_SCRIPT:
       ++url_stats_.extension_count;
       break;
     case Extension::TYPE_HOSTED_APP:
     case Extension::TYPE_PACKAGED_APP:
       ++url_stats_.app_count;
       break;
     case Extension::TYPE_UNKNOWN:
     default:
       ++url_stats_.pending_count;
       break;
   }
 
   std::vector<GURL> update_urls;
   update_urls.push_back(update_url);
   // If UMA is enabled, also add to ManifestFetchData for the
   // webstore update URL.
   if (!extension_urls::IsWebstoreUpdateUrl(update_url) &&
       MetricsServiceHelper::IsMetricsReportingEnabled()) {
-    update_urls.push_back(extension_urls::GetWebstoreUpdateUrl(false));
+    update_urls.push_back(extension_urls::GetWebstoreUpdateUrl());
   }
 
   for (size_t i = 0; i < update_urls.size(); ++i) {
     DCHECK(!update_urls[i].is_empty());
     DCHECK(update_urls[i].is_valid());
 
     std::string install_source = i == 0 ?
         kDefaultInstallSource : kNotFromWebstoreInstallSource;
 
     ManifestFetchData::PingData ping_data;
@@ skipping 164 matching lines @@
     return;
   }
 
   // Examine the parsed manifest and kick off fetches of any new crx files.
   std::vector<int> updates;
   DetermineUpdates(fetch_data, *results, &updates);
   for (size_t i = 0; i < updates.size(); i++) {
     const UpdateManifest::Result* update = &(results->list.at(updates[i]));
     const std::string& id = update->extension_id;
     not_updated.erase(id);
+
+    GURL crx_url = update->crx_url;
     if (id != kBlacklistAppID) {
       NotifyUpdateFound(update->extension_id);
     } else {
       // The URL of the blacklist file is returned by the server and we need to
       // be sure that we continue to be able to reliably detect whether a URL
       // references a blacklist file.
-      DCHECK(extension_urls::IsBlacklistUpdateUrl(update->crx_url))
-          << update->crx_url;
+      DCHECK(extension_urls::IsBlacklistUpdateUrl(crx_url)) << crx_url;
+
+      // Force https (crbug.com/129587).
+      if (!crx_url.SchemeIsSecure()) {

[Aaron Boodman, 2012/05/24 23:17:41]

Will this affect non-store updates?

[asargent_no_longer_on_chrome, 2012/05/24 23:23:53]

No, this is in the else block for the "if (id != kBlacklistAppID) {" check
above. This is handling the results for the blacklist contents - we already
forced the update check for that to be SSL, but this is just ensuring that even
if the server said to use plain http to fetch the blacklist contents, we
override that. A patch is going into the server to make sure they always send a
response with an SSL url for the blacklist. So this is just defense in depth.
(Note that we already ensure that the blacklist contents match a hash the server
told us about in the response to the SSL update check)

+        url_canon::Replacements<char> replacements;
+        std::string scheme("https");
+        replacements.SetScheme(scheme.c_str(),
+                               url_parse::Component(0, scheme.size()));
+        crx_url = crx_url.ReplaceComponents(replacements);
+      }
     }
-    FetchUpdatedExtension(update->extension_id, update->crx_url,
-                          update->package_hash, update->version);
+    FetchUpdatedExtension(update->extension_id, crx_url, update->package_hash,
+                          update->version);
   }
 
   // If the manifest response included a <daystart> element, we want to save
   // that value for any extensions which had sent a ping in the request.
   if (fetch_data.base_url().DomainIs("google.com") &&
       results->daystart_elapsed_seconds >= 0) {
     Time day_start =
         Time::Now() - TimeDelta::FromSeconds(results->daystart_elapsed_seconds);
 
     const std::set<std::string>& extension_ids = fetch_data.extension_ids();
@@ skipping 186 matching lines @@
 }
 
 void ExtensionDownloader::NotifyUpdateFound(const std::string& id) {
   content::NotificationService::current()->Notify(
       chrome::NOTIFICATION_EXTENSION_UPDATE_FOUND,
       content::NotificationService::AllBrowserContextsAndSources(),
       content::Details<const std::string>(&id));
 }
 
 }  // namespace extensions