Replace whitespace at beginning and end of file with hyphens, rather than silently discarding.

net/base/net_util.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "net/base/net_util.h"
 
 #include <unicode/regex.h>
 #include <unicode/ucnv.h>
 #include <unicode/uidna.h>
 #include <unicode/ulocdata.h>
@@ skipping 140 matching lines @@
   0xFFFF, // Used to block all invalid port numbers (see
           // third_party/WebKit/Source/WebCore/platform/KURLGoogle.cpp, port())
 };
 
 // FTP overrides the following restricted ports.
 static const int kAllowedFtpPorts[] = {
   21,   // ftp data
   22,   // ssh
 };
 
+template<typename STR>
+typename STR::size_type CountTrailingChars(
+    const STR& input,
+    const typename STR::value_type
+    trailing_chars[]) {
+  const typename STR::size_type last_good_char =
+    input.find_last_not_of(trailing_chars);
+
+  if (last_good_char == std::string::npos)
+    return input.length();
+  else
+    return input.length() - last_good_char - 1;
+}
+
 // Similar to Base64Decode. Decodes a Q-encoded string to a sequence
 // of bytes. If input is invalid, return false.
 bool QPDecode(const std::string& input, std::string* output) {
   std::string temp;
   temp.reserve(input.size());
   std::string::const_iterator it = input.begin();
   while (it != input.end()) {
     if (*it == '_') {
       temp.push_back(' ');
     } else if (*it == '=') {
@@ skipping 1210 matching lines @@
                               const std::string& suggested_name,
                               const string16& default_name) {
   // TODO: this function to be updated to match the httpbis recommendations.
   // Talk to abarth for the latest news.
 
   // We don't translate this fallback string, "download". If localization is
   // needed, the caller should provide localized fallback default_name.
   static const char* kFinalFallbackName = "download";
 
   std::string filename;
+  std::string::size_type trimmed_trailing_character_count = 0;
 
   // Try to extract from content-disposition first.
   if (!content_disposition.empty())
     filename = GetFileNameFromCD(content_disposition, referrer_charset);
 
   // Then try to use suggested name.
   if (filename.empty() && !suggested_name.empty())
     filename = suggested_name;
 
   if (!filename.empty()) {
     // Replace any path information the server may have sent, by changing
     // path separators with underscores.
     ReplaceSubstringsAfterOffset(&filename, 0, "/", "_");
     ReplaceSubstringsAfterOffset(&filename, 0, "\\", "_");
 
     // Next, remove "." from the beginning and end of the file name to avoid
     // tricks with hidden files, "..", and "."
+    trimmed_trailing_character_count += CountTrailingChars(filename, ".");
     TrimString(filename, ".", &filename);
   }
 
   if (filename.empty()) {
+    trimmed_trailing_character_count = 0;
     // about: and data: URLs don't have file names, but esp. data: URLs may
     // contain parts that look like ones (i.e., contain a slash).
     // Therefore we don't attempt to divine a file name out of them.
     if (url.SchemeIs("about") || url.SchemeIs("data")) {
       return default_name.empty() ? ASCIIToUTF16(kFinalFallbackName)
                                   : default_name;
     }
 
     if (url.is_valid()) {
       const std::string unescaped_url_filename = UnescapeURLComponent(
@@ skipping 10 matching lines @@
                    &decoded_filename);
       }
 
       filename = decoded_filename;
     }
   }
 
 #if defined(OS_WIN)
   { // Handle CreateFile() stripping trailing dots and spaces on filenames
     // http://support.microsoft.com/kb/115827
-    std::string::size_type pos = filename.find_last_not_of(" .");
-    if (pos == std::string::npos)
-      filename.resize(0);
-    else
-      filename.resize(++pos);
+    trimmed_trailing_character_count += CountTrailingChars(filename, " .");
+    filename.resize(filename.length() - trimmed_trailing_character_count);
   }
 #endif
   // Trim '.' once more.
   TrimString(filename, ".", &filename);
 
   // If there's no filename or it gets trimed to be empty, use
   // the URL hostname or default_name
   if (filename.empty()) {
+    trimmed_trailing_character_count = 0;
     if (!default_name.empty()) {
       return default_name;
     } else if (url.is_valid()) {
       // Some schemes (e.g. file) do not have a hostname. Even though it's
       // not likely to reach here, let's hardcode the last fallback name.
       // TODO(jungshik) : Decode a 'punycoded' IDN hostname. (bug 1264451)
       filename = url.host().empty() ? kFinalFallbackName : url.host();
     } else {
       NOTREACHED();
     }
   }
 
 #if defined(OS_WIN)
   string16 path = UTF8ToUTF16(filename);
+  // On Windows we want to preserve or replace all characters including
+  // whitespace to prevent file extension obfuscation on trusted websites
+  // e.g. Gmail might think evil.exe. is safe, so we don't want it to become
+  // evil.exe when we download it
+  trimmed_trailing_character_count += path.length();
+  TrimWhitespace(path, TRIM_TRAILING, &path);
+  trimmed_trailing_character_count -= path.length();
   file_util::ReplaceIllegalCharactersInPath(&path, '-');
+  path.append(trimmed_trailing_character_count, '-');
   return path;
 #else
   std::string path = filename;
   file_util::ReplaceIllegalCharactersInPath(&path, '-');
   return UTF8ToUTF16(path);
 #endif
 }
 
 FilePath GenerateFileName(const GURL& url,
                           const std::string& content_disposition,
@@ skipping 923 matching lines @@
 
 NetworkInterface::NetworkInterface(const std::string& name,
                                    const IPAddressNumber& address)
     : name(name), address(address) {
 }
 
 NetworkInterface::~NetworkInterface() {
 }
 
 }  // namespace net