[Downloads] Prevent dangerous files from being opened automatically.

chrome/browser/download/download_extensions.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 
 #include "chrome/browser/download/download_extensions.h"
 
 #include "base/strings/string_util.h"
@@ skipping 209 matching lines @@
   if (ascii_extension[0] == base::FilePath::kExtensionSeparator)
     ascii_extension.erase(0, 1);
 
   for (size_t i = 0; i < arraysize(g_executables); ++i) {
     if (LowerCaseEqualsASCII(ascii_extension, g_executables[i].extension))
       return g_executables[i].level;
   }
   return NOT_DANGEROUS;
 }
 
+bool IsAllowedToOpenAutomatically(const base::FilePath& path) {
+  // This is probably overly conservative, but the intention is that if the file
+  // type was dangerous enough to require prompting, then we shouldn't allow
+  // opening it automatically.
+  base::FilePath::StringType extension(path.FinalExtension());
+  return !extension.empty() && GetFileDangerLevel(path) == NOT_DANGEROUS;

[Randy Smith (Not in Mondays), 2015/06/03 23:44:07]

So we no longer allow ALLOW_ON_USER_GESTURE files to be opened automatically? 
My gut is that that's going to annoy people, though the example I was going to
give was .pdf, which doesn't appear to be a dangerous file type anymore.  Would
it make sense to allow ALLOW_ON_USER_GESTURE types to open automatically iff
they were downloaded associated with a user gesture?  (I know we can't rely on
that, but we've already made the judgement that we're ok with downloading them
with the imperfect signal of a user gesture ...)

[Randy Smith (Not in Mondays), 2015/06/03 23:44:07]

The !extension.empty() test is redundant with the same check in
GetFileDangerLevel(), I think.

[asanka, 2015/06/04 15:30:48]

The check is different. GetFileDangerLevel() returns NOT_DANGEROUS if the file
has no extension. We want files without extensions to return false from this
function since they can't be opened automatically.

Also, regarding the ALLOW_ON_USER_GESTURE behavior: Downloads that had a user
gesture and those that didn't are both equivalent by the time the download
completes. Remember that if there wasn't a user gesture, we would've prompted
the user. In either case, by the end there would be a user gesture.

The only exception to this rule are those files that are now being handled by
SafeBrowsing. Those may not have a user gesture by the end of the download.

+}
+
 static const char* kExecutableWhiteList[] = {
   // JavaScript is just as powerful as EXE.
   "text/javascript",
   "text/javascript;version=*",
   "text/html",
   // Registry files can cause critical changes to the MS OS behavior.
   // Addition of this mimetype also addresses bug 7337.
   "text/x-registry",
   "text/x-sh",
   // Some sites use binary/octet-stream to mean application/octet-stream.
@@ skipping 15 matching lines @@
   for (size_t i = 0; i < arraysize(kExecutableBlackList); ++i) {
     if (net::MatchesMimeType(kExecutableBlackList[i], mime_type))
       return false;
   }
   // We consider only other application types to be executable.
   return net::MatchesMimeType("application/*", mime_type);
 }
 
 
 }  // namespace download_util