[Downloads] Prevent dangerous files from being opened automatically.

chrome/browser/download/download_extensions.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 
 #include "chrome/browser/download/download_extensions.h"
 
 #include "base/strings/string_util.h"
@@ skipping 39 matching lines @@
  * of those above. If you wish to allow use of your version of this file only
  * under the terms of either the GPL or the LGPL, and not to allow others to
  * use your version of this file under the terms of the MPL, indicate your
  * decision by deleting the provisions above and replace them with the notice
  * and other provisions required by the GPL or the LGPL. If you do not delete
  * the provisions above, a recipient may use your version of this file under
  * the terms of any one of the MPL, the GPL or the LGPL.
  *
  * ***** END LICENSE BLOCK ***** */
 
-static const struct Executables {
-    const char* extension;
-    DownloadDangerLevel level;
-} g_executables[] = {
-  // Some files are dangerous on all platforms.
-  //
-  // Flash files downloaded locally can sometimes access the local filesystem.
-  { "swf", DANGEROUS },
-  { "spl", DANGEROUS },
-  // Chrome extensions should be obtained through the web store.
-  { "crx", ALLOW_ON_USER_GESTURE },
+namespace {
+
+enum DownloadAutoOpenHint {
+  ALLOW_AUTO_OPEN,
+
+  // The file type should not be allowed to open automatically.
+  //
+  // This is a subtle distinction from file types that are just dangerous to
+  // download. Allowing a file type to open automatically can result in a
+  // malicious website being able to run harmful code on the users' machine
+  // without the user making an explicit decision to download or open the file
+  // type.
+  //
+  // The existence of the list an acknowledgement that the act of downloading
+  // doesn't necessarily indicate consent to download the specific file that was
+  // written to disk. I.e. a malicious file could drop a download possibly by
+  // clickjacking, or the file written to disk may not be what the user thought
+  // it was. Such a download may even bypass a user prompt if the danger type is
+  // ALLOW_ON_USER_GESTURE. Even if the user explicitly consents to the

[Randy Smith (Not in Mondays), 2015/06/15 19:19:17]

I'd rewrite this a bit to explicitly acknowledge that ALLOW_ON_USER_GESTURE
isn't a reliable security guarantee, more of a speed bump.

[asanka, 2015/06/16 19:23:42]

Yup. I moved the general overview over to download_extensions.h since that, IMO,
should be part of the public interface. I left the comment about specific
criteria here.

+  // download, they should be able to choose when or if the file should be

[Randy Smith (Not in Mondays), 2015/06/15 19:19:17]

The issue is whether they should be forced to rather than whether they be able
to choose to, right?

[asanka, 2015/06/16 19:23:42]

Yeah. Clarified.

+  // opened by the default handler if the file type is dangerous.
+  //
+  // Criteria for disallowing a file type from opening automatically:
+  //
+  // Includes file types that upon opening may either:
+  //   * ... execute arbitrary or harmful code with user privileges.
+  //   * ... change configuration of the system to cause harmful behavior
+  //     immediately or at some time in the future.
+  //
+  // Doesn't include file types that upon opening:
+  //   * ... sufficiently warn the user about the fact that:
+  //     - This file was downloaded from the internet.
+  //     - Opening it can make specified changes to the system.
+  //     (Note that any such warnings need to be displayed prior to the harmful
+  //     logic being executed).
+  //   * ... does nothing particularly dangerous, despite the act of downloading
+  //     itself being dangerous (E.g. .local and .manifest files).
+  DISALLOW_AUTO_OPEN,
+};
+
+const struct FileType {
+  const char* extension;  // Extension sans leading extension separator.
+  DownloadDangerLevel danger_level;
+  DownloadAutoOpenHint auto_open_hint;
+} kDownloadFileTypes[] = {
+    // Some files are dangerous on all platforms.

[Randy Smith (Not in Mondays), 2015/06/15 19:19:17]

I really like the addition of detailed comments to this list.  Of course, the
addition of those comments makes sharper the lack of comments for some file
types.  Not as part of this CL, but maybe long-term we should have a goal of
commenting all lines in this list?  WDYT?

[asanka, 2015/06/16 19:23:42]

Agree completely. I'll fill in the blanks that I'm comfortable with and add a
comment that all future additions should include a justification.

+
+    // Flash files downloaded locally can sometimes access the local filesystem.
+    {"swf", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"spl", DANGEROUS, DISALLOW_AUTO_OPEN},
+
+    // Chrome extensions should be obtained through the web store. Allowed to
+    // open automatically because Chrome displays a prompt prior to
+    // installation.
+    {"crx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
   // Windows, all file categories.
 #if defined(OS_WIN)
-  { "ad", ALLOW_ON_USER_GESTURE },
-  { "ade", ALLOW_ON_USER_GESTURE },
-  { "adp", ALLOW_ON_USER_GESTURE },
-  { "app", ALLOW_ON_USER_GESTURE },
-  { "application", ALLOW_ON_USER_GESTURE },
-  { "asp", ALLOW_ON_USER_GESTURE },
-  { "asx", ALLOW_ON_USER_GESTURE },
-  { "bas", ALLOW_ON_USER_GESTURE },
-  { "bat", ALLOW_ON_USER_GESTURE },
-  { "cfg", DANGEROUS },
-  { "chi", ALLOW_ON_USER_GESTURE },
-  { "chm", ALLOW_ON_USER_GESTURE },
-  { "cmd", ALLOW_ON_USER_GESTURE },
-  { "com", ALLOW_ON_USER_GESTURE },
-  { "cpl", ALLOW_ON_USER_GESTURE },
-  { "crt", ALLOW_ON_USER_GESTURE },
-  { "dll", DANGEROUS },
-  { "drv", DANGEROUS },
-  { "exe", ALLOW_ON_USER_GESTURE },
-  { "fxp", ALLOW_ON_USER_GESTURE },
-  { "grp", DANGEROUS },
-  { "hlp", ALLOW_ON_USER_GESTURE },
-  { "hta", ALLOW_ON_USER_GESTURE },
-  { "htt", ALLOW_ON_USER_GESTURE },
-  { "inf", ALLOW_ON_USER_GESTURE },
-  { "ini", DANGEROUS },
-  { "ins", ALLOW_ON_USER_GESTURE },
-  { "isp", ALLOW_ON_USER_GESTURE },
-  { "js", ALLOW_ON_USER_GESTURE },
-  { "jse", ALLOW_ON_USER_GESTURE },
-  { "lnk", ALLOW_ON_USER_GESTURE },
-  { "local", DANGEROUS },
-  { "mad", ALLOW_ON_USER_GESTURE },
-  { "maf", ALLOW_ON_USER_GESTURE },
-  { "mag", ALLOW_ON_USER_GESTURE },
-  { "mam", ALLOW_ON_USER_GESTURE },
-  { "manifest", DANGEROUS },
-  { "maq", ALLOW_ON_USER_GESTURE },
-  { "mar", ALLOW_ON_USER_GESTURE },
-  { "mas", ALLOW_ON_USER_GESTURE },
-  { "mat", ALLOW_ON_USER_GESTURE },
-  { "mau", ALLOW_ON_USER_GESTURE },
-  { "mav", ALLOW_ON_USER_GESTURE },
-  { "maw", ALLOW_ON_USER_GESTURE },
-  { "mda", ALLOW_ON_USER_GESTURE },
-  { "mdb", ALLOW_ON_USER_GESTURE },
-  { "mde", ALLOW_ON_USER_GESTURE },
-  { "mdt", ALLOW_ON_USER_GESTURE },
-  { "mdw", ALLOW_ON_USER_GESTURE },
-  { "mdz", ALLOW_ON_USER_GESTURE },
-  { "mht", ALLOW_ON_USER_GESTURE },
-  { "mhtml", ALLOW_ON_USER_GESTURE },
-  { "mmc", ALLOW_ON_USER_GESTURE },
-  { "mof", DANGEROUS },
-  { "msc", ALLOW_ON_USER_GESTURE },
-  { "msh", ALLOW_ON_USER_GESTURE },
-  { "mshxml", ALLOW_ON_USER_GESTURE },
-  { "msi", ALLOW_ON_USER_GESTURE },
-  { "msp", ALLOW_ON_USER_GESTURE },
-  { "mst", ALLOW_ON_USER_GESTURE },
-  { "ocx", DANGEROUS },
-  { "ops", ALLOW_ON_USER_GESTURE },
-  { "pcd", ALLOW_ON_USER_GESTURE },
-  { "pif", ALLOW_ON_USER_GESTURE },
-  { "plg", ALLOW_ON_USER_GESTURE },
-  { "prf", ALLOW_ON_USER_GESTURE },
-  { "prg", ALLOW_ON_USER_GESTURE },
-  { "pst", ALLOW_ON_USER_GESTURE },
-  { "reg", ALLOW_ON_USER_GESTURE },
-  { "scf", ALLOW_ON_USER_GESTURE },
-  { "scr", ALLOW_ON_USER_GESTURE },
-  { "sct", ALLOW_ON_USER_GESTURE },
-  { "shb", ALLOW_ON_USER_GESTURE },
-  { "shs", ALLOW_ON_USER_GESTURE },
-  { "sys", DANGEROUS },
-  { "url", DANGEROUS },
-  { "vb", ALLOW_ON_USER_GESTURE },
-  { "vbe", ALLOW_ON_USER_GESTURE },
-  { "vbs", ALLOW_ON_USER_GESTURE },
-  { "vsd", ALLOW_ON_USER_GESTURE },
-  { "vsmacros", ALLOW_ON_USER_GESTURE },
-  { "vss", ALLOW_ON_USER_GESTURE },
-  { "vst", ALLOW_ON_USER_GESTURE },
-  { "vsw", ALLOW_ON_USER_GESTURE },
-  { "ws", ALLOW_ON_USER_GESTURE },
-  { "wsc", ALLOW_ON_USER_GESTURE },
-  { "wsf", ALLOW_ON_USER_GESTURE },
-  { "wsh", ALLOW_ON_USER_GESTURE },
-  { "xbap", DANGEROUS },
+    {"ad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"ade", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"adp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"app", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft ClickOnce depolyment manifest. By default, opens with
+    // dfshim.dll which should prompt the user before running untrusted code.
+    {"application", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Active Server Pages source file.
+    {"asp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Advanced Stream Redirector. Contains a playlist of media files.
+    {"asx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft Visual Basic source file. Opens by default in an editor.
+    {"bas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Command script.
+    {"bat", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"cfg", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    // Windows Compiled HTML Help files.
+    {"chi", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"chm", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Command script.
+    {"cmd", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Windows legacy executable.
+    {"com", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Control panel tool. Executable.
+    {"cpl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Signed certificate file.
+    {"crt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Windows executables.
+    {"dll", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"drv", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"exe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"fxp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"grp", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    // Windows legacy help file format.
+    {"hlp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // HTML Application. Executes as a fully trusted application.
+    {"hta", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Hypertext Template File. See https://support.microsoft.com/kb/181689.
+    {"htt", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Device installation information.
+    {"inf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Generic configuration file.
+    {"ini", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    {"ins", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"isp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // JavaScript file. May open using Windows Script Host with user level
+    // privileges.
+    {"js", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"jse", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Shortcuts. May open anything.
+    {"lnk", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // .local files affect DLL search path for .exe file with same base name.
+    {"local", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    {"mad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"maf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mag", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mam", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // While being a generic name, having a .manifest file with the same
+    // basename as .exe file (foo.exe + foo.exe.manifest) changes the dll search
+    // order for the .exe file. Downloading this kind of file to the users'
+    // download directory is almost always the wrong thing to do.
+    {"manifest", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    {"maq", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mar", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mat", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mau", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mav", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"maw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mda", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mdb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mde", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mdt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mdw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mdz", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Multipart HTML.
+    {"mht", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mhtml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    {"mmc", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mof", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    // Microsoft Management Console Snap-in. Contains executable code.
+    {"msc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"msh", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mshxml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Windows Installer
+    {"msi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"msp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"mst", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // ActiveX Control
+    {"ocx", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    {"ops", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"pcd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Program Information File. Originally intended to configure execution
+    // environment for legacy DOS files. They aren't meant to contain executable
+    // code. But Windows may execute a PIF file that is sniffed as a PE file.
+    {"pif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"plg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"prf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"prg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"pst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Registry file. Opening may cause registry settings to change. Users still
+    // need to click through a prompt. So we could consider relaxing the
+    // DISALLOW_AUTO_OPEN restriction.
+    {"reg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"scf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // These are also executables.
+    {"scr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"sct", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"shb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"shs", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // System executable. Windows tries hard to prevent you from opening these
+    // types of files.
+    {"sys", DANGEROUS, DISALLOW_AUTO_OPEN},
+
+    // Internet Shortcut.
+    {"url", DANGEROUS, DISALLOW_AUTO_OPEN},
+
+    {"vb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // VBScript files. My open with Windows Script Host and execute with user
+    // privileges.
+    {"vbe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"vbs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"vsd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"vsmacros", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"vss", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"vst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"vsw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Windows Script Host related.
+    {"ws", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"wsc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"wsf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"wsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // XAML Browser Application.
+    {"xbap", DANGEROUS, DISALLOW_AUTO_OPEN},
 #endif  // OS_WIN
 
   // Java.
 #if !defined(OS_CHROMEOS)
-  { "class", DANGEROUS },
-  { "jar", DANGEROUS },
-  { "jnlp", DANGEROUS },
+    {"class", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"jar", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"jnlp", DANGEROUS, DISALLOW_AUTO_OPEN},
 #endif
 
   // Scripting languages. (Shells are handled below.)
 #if !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
-  { "pl", ALLOW_ON_USER_GESTURE },
-  { "py", ALLOW_ON_USER_GESTURE },
-  { "pyc", ALLOW_ON_USER_GESTURE },
-  { "pyw", ALLOW_ON_USER_GESTURE },
-  { "rb", ALLOW_ON_USER_GESTURE },
+    {"pl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"py", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"pyc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"pyw", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"rb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 
   // Shell languages. (OS_ANDROID is OS_POSIX.) OS_WIN shells are handled above.
 #if defined(OS_POSIX)
-  { "bash", ALLOW_ON_USER_GESTURE },
-  { "csh", ALLOW_ON_USER_GESTURE },
-  { "ksh", ALLOW_ON_USER_GESTURE },
-  { "sh", ALLOW_ON_USER_GESTURE },
-  { "shar", ALLOW_ON_USER_GESTURE },
-  { "tcsh", ALLOW_ON_USER_GESTURE },
+    {"bash", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"csh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"ksh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"sh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"shar", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"tcsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 #if defined(OS_MACOSX)
-  { "command", ALLOW_ON_USER_GESTURE },
+    {"command", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 
   // Package management formats. OS_WIN package formats are handled above.
 #if defined(OS_MACOSX) || defined(OS_LINUX)
-  { "pkg", ALLOW_ON_USER_GESTURE },
+    {"pkg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 #if defined(OS_LINUX)
-  { "deb", ALLOW_ON_USER_GESTURE },
-  { "rpm", ALLOW_ON_USER_GESTURE },
+    {"deb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"rpm", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 #if defined(OS_ANDROID)
-  { "dex", ALLOW_ON_USER_GESTURE },  // Really an executable format.
+    {"dex", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 };
 
-DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
+// FileType for files with an empty extension.
+const FileType kEmptyFileType = {nullptr, NOT_DANGEROUS, DISALLOW_AUTO_OPEN};
+
+// Default FileType for non-empty extensions that aren't in the list above.
+const FileType kUnknownFileType = {nullptr, NOT_DANGEROUS, ALLOW_AUTO_OPEN};
+
+const FileType& GetFileType(const base::FilePath& path) {
   base::FilePath::StringType extension(path.FinalExtension());
   if (extension.empty())
-    return NOT_DANGEROUS;
+    return kEmptyFileType;
   if (!base::IsStringASCII(extension))
-    return NOT_DANGEROUS;
+    return kUnknownFileType;
 #if defined(OS_WIN)
   std::string ascii_extension = base::UTF16ToASCII(extension);
 #elif defined(OS_POSIX)
   std::string ascii_extension = extension;
 #endif
 
   // Strip out leading dot if it's still there
   if (ascii_extension[0] == base::FilePath::kExtensionSeparator)
     ascii_extension.erase(0, 1);
 
-  for (size_t i = 0; i < arraysize(g_executables); ++i) {
-    if (base::LowerCaseEqualsASCII(ascii_extension, g_executables[i].extension))
-      return g_executables[i].level;
+  for (const auto& file_type : kDownloadFileTypes) {
+    if (base::LowerCaseEqualsASCII(ascii_extension, file_type.extension))
+      return file_type;
   }
-  return NOT_DANGEROUS;
+
+  return kUnknownFileType;
+}
+
+}  // namespace
+
+DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
+  return GetFileType(path).danger_level;
+}
+
+bool IsAllowedToOpenAutomatically(const base::FilePath& path) {
+  return GetFileType(path).auto_open_hint == ALLOW_AUTO_OPEN;
 }
 
 static const char* kExecutableWhiteList[] = {
   // JavaScript is just as powerful as EXE.
   "text/javascript",
   "text/javascript;version=*",
   "text/html",
   // Registry files can cause critical changes to the MS OS behavior.
   // Addition of this mimetype also addresses bug 7337.
   "text/x-registry",
@@ skipping 15 matching lines @@
       return true;
   }
   for (size_t i = 0; i < arraysize(kExecutableBlackList); ++i) {
     if (net::MatchesMimeType(kExecutableBlackList[i], mime_type))
       return false;
   }
   // We consider only other application types to be executable.
   return net::MatchesMimeType("application/*", mime_type);
 }
 
-
 }  // namespace download_util