chrome/browser/download/download_exe.cc - Issue 1403001: Modifying the "dangerous download" algorithm.

Side by Side Diff: chrome/browser/download/download_exe.cc

Issue 1403001: Modifying the "dangerous download" algorithm. (Closed)

Patch Set: Removing unnecessary namespace qualifier Created 10 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

OLD	NEW
1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2010 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include <set>	5 #include <set>

6 #include <string>	6 #include <string>

7	7

8 #include "chrome/browser/download/download_util.h"	8 #include "chrome/browser/download/download_util.h"

9	9

10 #include "base/string_util.h"	10 #include "base/string_util.h"

(...skipping 38 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
49 * of those above. If you wish to allow use of your version of this file only	49 * of those above. If you wish to allow use of your version of this file only

50 * under the terms of either the GPL or the LGPL, and not to allow others to	50 * under the terms of either the GPL or the LGPL, and not to allow others to

51 * use your version of this file under the terms of the MPL, indicate your	51 * use your version of this file under the terms of the MPL, indicate your

52 * decision by deleting the provisions above and replace them with the notice	52 * decision by deleting the provisions above and replace them with the notice

53 * and other provisions required by the GPL or the LGPL. If you do not delete	53 * and other provisions required by the GPL or the LGPL. If you do not delete

54 * the provisions above, a recipient may use your version of this file under	54 * the provisions above, a recipient may use your version of this file under

55 * the terms of any one of the MPL, the GPL or the LGPL.	55 * the terms of any one of the MPL, the GPL or the LGPL.

56 *	56 *

57 * *** END LICENSE BLOCK *** */	57 * *** END LICENSE BLOCK *** */

58	58

59 static const char* const g_executables[] = {	59 static const struct Executables {
	bkr 2010/11/17 02:30:04 jnlp is pretty shady and should likely be included jnlp is pretty shady and should likely be included here. It's included by default with JRE 1.4 and >. http://en.wikipedia.org/wiki/Java_Web_Start says it all
60 "class",	60 const char* extension;

61 "htm",	61 DownloadDangerLevel level;

62 "html",	62 } g_executables[] = {

63 "jar",	63 { "class", AllowOnUserGesture },

64 "pdf",	64 { "htm", AllowOnUserGesture },

65 "pdfxml",	65 { "html", AllowOnUserGesture },
	bkr 2010/11/17 02:30:04 Anything that is rendered as html (htm, html, shtm Anything that is rendered as html (htm, html, shtm, etc.) is pretty dangerous. Running local attacker controlled html usually means arbitrary file/cookie theft (I guess chrome has some protection against this). Running attacker controlled content also allows gives an attacker an opportunity to bypass any other file extension restriction through the use of an EMBED or OBJECT tag. Most plugins will ignore extensions if explicitly called from an EMBED or OBJECT. The security models of browser plugins is complicated, especially when being run from a local context. For example, if I run local html which loads a local SWF I'll have local file access regardless of chrome local html restrictions. Using a local html file to load the local SWF means I can use an arbitrary extension for the SWF file. The same is true with JAR files (although the consequences are greater with JAR) Peter Kasting 2010/11/17 02:36:08 It's at worst as dangerous as .exe and other "has Show quoted text On 2010/11/17 02:30:04, bkr wrote: > Anything that is rendered as html (htm, html, shtm, etc.) is pretty dangerous. It's at worst as dangerous as .exe and other "has to be manually run" types, though, which means AllowOnUserGesture is sufficient. The "Dangerous" value should be reserved for things that are dangerous just sitting on the drive, like DLLs.
66 "mars",	66 { "jar", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 Mark jar (as well as jnlp) dangerous. Mark jar (as well as jnlp) dangerous.
67 "fdf",	67 { "pdf", AllowOnUserGesture },

68 "xfdf",	68 { "pdfxml", AllowOnUserGesture },

69 "xdp",	69 { "mars", AllowOnUserGesture },

70 "xfd",	70 { "fdf", AllowOnUserGesture },

71 "pl",	71 { "xfdf", AllowOnUserGesture },

72 "py",	72 { "xdp", AllowOnUserGesture },

73 "rb",	73 { "xfd", AllowOnUserGesture },

74 "shtm",	74 { "pl", AllowOnUserGesture },

75 "shtml",	75 { "py", AllowOnUserGesture },

76 "svg",	76 { "rb", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 .pl .py .rb and any other script extensions -> dan .pl .py .rb and any other script extensions -> dangerous.
77 "swf",	77 { "shtm", AllowOnUserGesture },

78 "xht",	78 { "shtml", AllowOnUserGesture },

79 "xhtm",	79 { "svg", AllowOnUserGesture },

80 "xhtml",	80 { "swf", AllowOnUserGesture },

81 "xml",	81 { "xht", AllowOnUserGesture },

82 "xsl",	82 { "xhtm", AllowOnUserGesture },

83 "xslt",	83 { "xhtml", AllowOnUserGesture },

	84 { "xml", AllowOnUserGesture },

	85 { "xsl", AllowOnUserGesture },

	86 { "xslt", AllowOnUserGesture },

84 #if defined(OS_WIN)	87 #if defined(OS_WIN)
	bkr 2010/11/17 02:30:04 chm (compiled help files) chi (collection/index of chm (compiled help files) chi (collection/index of chms) lnk <--like shortcuts... but better ;) mmc (management console files) Peter Kasting 2010/11/17 02:36:08 That one is present already. Show quoted text On 2010/11/17 02:30:04, bkr wrote: > chm (compiled help files) That one is present already.
85 "ad",	88 { "ad", AllowOnUserGesture },

86 "ade",	89 { "ade", AllowOnUserGesture },

87 "adp",	90 { "adp", AllowOnUserGesture },

88 "app",	91 { "app", AllowOnUserGesture },

89 "application",	92 { "application", AllowOnUserGesture },

90 "asp",	93 { "asp", AllowOnUserGesture },

91 "asx",	94 { "asx", AllowOnUserGesture },

92 "bas",	95 { "bas", AllowOnUserGesture },

93 "bat",	96 { "bat", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 bat -> dangerous surely? bat -> dangerous surely?
94 "chm",	97 { "chm", AllowOnUserGesture },

95 "cmd",	98 { "cmd", AllowOnUserGesture },

96 "com",	99 { "com", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 com == exe, no? -> dangerous!! com == exe, no? -> dangerous!!
97 "cpl",	100 { "cpl", AllowOnUserGesture },

98 "crt",	101 { "crt", AllowOnUserGesture },

99 "dll",	102 { "dll", Dangerous },

100 "exe",	103 { "exe", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 Yowch. exe is terribly dangerous :) Yowch. exe is terribly dangerous :)
101 "fxp",	104 { "fxp", AllowOnUserGesture },

102 "hlp",	105 { "hlp", AllowOnUserGesture },

103 "hta",	106 { "hta", AllowOnUserGesture },

104 "htt",	107 { "htt", AllowOnUserGesture },

105 "inf",	108 { "inf", AllowOnUserGesture },

106 "ins",	109 { "ins", AllowOnUserGesture },

107 "isp",	110 { "isp", AllowOnUserGesture },

108 "js",	111 { "js", AllowOnUserGesture },

109 "jse",	112 { "jse", AllowOnUserGesture },

110 "lnk",	113 { "lnk", AllowOnUserGesture },

111 "mad",	114 { "mad", AllowOnUserGesture },

112 "maf",	115 { "maf", AllowOnUserGesture },

113 "mag",	116 { "mag", AllowOnUserGesture },

114 "mam",	117 { "mam", AllowOnUserGesture },

115 "maq",	118 { "maq", AllowOnUserGesture },

116 "mar",	119 { "mar", AllowOnUserGesture },

117 "mas",	120 { "mas", AllowOnUserGesture },

118 "mat",	121 { "mat", AllowOnUserGesture },

119 "mau",	122 { "mau", AllowOnUserGesture },

120 "mav",	123 { "mav", AllowOnUserGesture },

121 "maw",	124 { "maw", AllowOnUserGesture },

122 "mda",	125 { "mda", AllowOnUserGesture },

123 "mdb",	126 { "mdb", AllowOnUserGesture },

124 "mde",	127 { "mde", AllowOnUserGesture },

125 "mdt",	128 { "mdt", AllowOnUserGesture },

126 "mdw",	129 { "mdw", AllowOnUserGesture },

127 "mdz",	130 { "mdz", AllowOnUserGesture },

128 "mht",	131 { "mht", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 I don't know what half of these Windows things are I don't know what half of these Windows things are. We need a Windows security expert to cast an eye over the list before we land this.
129 "mhtml",	132 { "mhtml", AllowOnUserGesture },

130 "msc",	133 { "msc", AllowOnUserGesture },

131 "msh",	134 { "msh", AllowOnUserGesture },

132 "mshxml",	135 { "mshxml", AllowOnUserGesture },

133 "msi",	136 { "msi", AllowOnUserGesture },

134 "msp",	137 { "msp", AllowOnUserGesture },

135 "mst",	138 { "mst", AllowOnUserGesture },

136 "ocx",	139 { "ocx", AllowOnUserGesture },

137 "ops",	140 { "ops", AllowOnUserGesture },

138 "pcd",	141 { "pcd", AllowOnUserGesture },

139 "pif",	142 { "pif", AllowOnUserGesture },

140 "plg",	143 { "plg", AllowOnUserGesture },

141 "prf",	144 { "prf", AllowOnUserGesture },

142 "prg",	145 { "prg", AllowOnUserGesture },

143 "pst",	146 { "pst", AllowOnUserGesture },

144 "reg",	147 { "reg", AllowOnUserGesture },

145 "scf",	148 { "scf", AllowOnUserGesture },

146 "scr",	149 { "scr", AllowOnUserGesture },

147 "sct",	150 { "sct", AllowOnUserGesture },

148 "shb",	151 { "shb", AllowOnUserGesture },

149 "shs",	152 { "shs", AllowOnUserGesture },

150 "url",	153 { "url", AllowOnUserGesture },

151 "vb",	154 { "vb", AllowOnUserGesture },

152 "vbe",	155 { "vbe", AllowOnUserGesture },

153 "vbs",	156 { "vbs", AllowOnUserGesture },

154 "vsd",	157 { "vsd", AllowOnUserGesture },

155 "vsmacros",	158 { "vsmacros", AllowOnUserGesture },

156 "vss",	159 { "vss", AllowOnUserGesture },

157 "vst",	160 { "vst", AllowOnUserGesture },

158 "vsw",	161 { "vsw", AllowOnUserGesture },

159 "ws",	162 { "ws", AllowOnUserGesture },

160 "wsc",	163 { "wsc", AllowOnUserGesture },

161 "wsf",	164 { "wsf", AllowOnUserGesture },

162 "wsh",	165 { "wsh", AllowOnUserGesture },

163 "xbap",	166 { "xbap", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 xbap is a disaster! -> dangerous xbap is a disaster! -> dangerous
164 #elif defined(OS_MACOSX)	167 #elif defined(OS_MACOSX)

165 // TODO(thakis): Figure out what makes sense here -- crbug.com/19096	168 // TODO(thakis): Figure out what makes sense here -- crbug.com/19096

166 "app",	169 { "app", AllowOnUserGesture },

167 "dmg",	170 { "dmg", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 I don't know much about Mac. Does it adequately wa I don't know much about Mac. Does it adequately warn upon clicking on a downloaded app / dmg in the download shelf?
168 #elif defined(OS_POSIX)	171 #elif defined(OS_POSIX)

169 // TODO(estade): lengthen this list.	172 // TODO(estade): lengthen this list.

170 "bash",	173 { "bash", AllowOnUserGesture },

171 "csh",	174 { "csh", AllowOnUserGesture },

172 "deb",	175 { "deb", AllowOnUserGesture },

173 "exe",	176 { "exe", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 exe seems to be repeated here? exe seems to be repeated here?
174 "ksh",	177 { "ksh", AllowOnUserGesture },

175 "rpm",	178 { "rpm", AllowOnUserGesture },

176 "sh",	179 { "sh", AllowOnUserGesture },
	Chris Evans 2010/11/19 02:55:54 .sh is certainly dangeous, as is .ksh, .tcsh, etc. .sh is certainly dangeous, as is .ksh, .tcsh, etc. Plus, what about a Windows system with Cygwin installed? Does that add file mappings for .sh etc. on the Windows system?
177 "tcsh",	180 { "tcsh", AllowOnUserGesture },

178 #endif	181 #endif

179 };	182 };

180	183

181 bool IsExecutableFile(const FilePath& path) {	184 DownloadDangerLevel GetFileDangerLevel(const FilePath& path) {

182 return IsExecutableExtension(path.Extension());	185 return GetFileExtensionDangerLevel(path.Extension());

183 }	186 }

184	187

185 bool IsExecutableExtension(const FilePath::StringType& extension) {	188 DownloadDangerLevel GetFileExtensionDangerLevel(

	189 const FilePath::StringType& extension) {

186 if (extension.empty())	190 if (extension.empty())

187 return false;	191 return NotDangerous;

188 if (!IsStringASCII(extension))	192 if (!IsStringASCII(extension))

189 return false;	193 return NotDangerous;

190 #if defined(OS_WIN)	194 #if defined(OS_WIN)

191 std::string ascii_extension = WideToASCII(extension);	195 std::string ascii_extension = WideToASCII(extension);

192 #elif defined(OS_POSIX)	196 #elif defined(OS_POSIX)

193 std::string ascii_extension = extension;	197 std::string ascii_extension = extension;

194 #endif	198 #endif

195	199

196 // Strip out leading dot if it's still there	200 // Strip out leading dot if it's still there

197 if (ascii_extension[0] == FilePath::kExtensionSeparator)	201 if (ascii_extension[0] == FilePath::kExtensionSeparator)

198 ascii_extension.erase(0, 1);	202 ascii_extension.erase(0, 1);

199	203

200 for (size_t i = 0; i < arraysize(g_executables); ++i) {	204 for (size_t i = 0; i < arraysize(g_executables); ++i) {

201 if (LowerCaseEqualsASCII(ascii_extension, g_executables[i]))	205 if (LowerCaseEqualsASCII(ascii_extension, g_executables[i].extension))

202 return true;	206 return g_executables[i].level;

203 }	207 }

204 return false;	208 return NotDangerous;

	209 }

	210

	211 bool IsFileExtensionSafe(const FilePath::StringType& extension) {

	212 return GetFileExtensionDangerLevel(extension) == NotDangerous;

	213 }

	214

	215 bool IsFileSafe(const FilePath& path) {

	216 return GetFileDangerLevel(path) == NotDangerous;

205 }	217 }

206	218

207 static const char* kExecutableWhiteList[] = {	219 static const char* kExecutableWhiteList[] = {

208 // JavaScript is just as powerful as EXE.	220 // JavaScript is just as powerful as EXE.

209 "text/javascript",	221 "text/javascript",

210 "text/javascript;version=*",	222 "text/javascript;version=*",

211 "text/html",	223 "text/html",

212 // Registry files can cause critical changes to the MS OS behavior.	224 // Registry files can cause critical changes to the MS OS behavior.

213 // Addition of this mimetype also addresses bug 7337.	225 // Addition of this mimetype also addresses bug 7337.

214 "text/x-registry",	226 "text/x-registry",

(...skipping 17 matching lines...) Expand all Loading...
232 for (size_t i = 0; i < arraysize(kExecutableBlackList); ++i) {	244 for (size_t i = 0; i < arraysize(kExecutableBlackList); ++i) {

233 if (net::MatchesMimeType(kExecutableBlackList[i], mime_type))	245 if (net::MatchesMimeType(kExecutableBlackList[i], mime_type))

234 return false;	246 return false;

235 }	247 }

236 // We consider only other application types to be executable.	248 // We consider only other application types to be executable.

237 return net::MatchesMimeType("application/*", mime_type);	249 return net::MatchesMimeType("application/*", mime_type);

238 }	250 }

239	251

240	252

241 } // namespace download_util	253 } // namespace download_util

OLD	NEW

« no previous file with comments | « no previous file | chrome/browser/download/download_item.cc » ('j') | no next file with comments »