[Downloads] Prevent dangerous files from being opened automatically.

chrome/browser/download/download_extensions.cc

Index: chrome/browser/download/download_extensions.cc
diff --git a/chrome/browser/download/download_extensions.cc b/chrome/browser/download/download_extensions.cc
index df961a5557141d1842080d090177efbd28293559..c5d4dc46000d3258ed544d371bcc22e9706aaf00 100644
--- a/chrome/browser/download/download_extensions.cc
+++ b/chrome/browser/download/download_extensions.cc
@@ -57,159 +57,297 @@ namespace download_util {
  *
  * ***** END LICENSE BLOCK ***** */
 
-static const struct Executables {
-    const char* extension;
-    DownloadDangerLevel level;
-} g_executables[] = {
-  // Some files are dangerous on all platforms.
+namespace {
+
+enum DownloadAutoOpenHint {
+  ALLOW_AUTO_OPEN,
+
+  // The file type should not be allowed to open automatically.
+  //
+  // This is a subtle distinction from file types that are just dangerous to
+  // download. Allowing a file type to open automatically can result in a
+  // malicious website being able to run harmful code on the users' machine
+  // without the user making an explicit decision to download or open the file
+  // type.
+  //
+  // The existence of the list an acknowledgement that the act of downloading
+  // doesn't necessarily indicate consent to download the specific file that was
+  // written to disk. I.e. a malicious file could drop a download possibly by
+  // clickjacking, or the file written to disk may not be what the user thought
+  // it was. Such a download may even bypass a user prompt if the danger type is
+  // ALLOW_ON_USER_GESTURE. Even if the user explicitly consents to the

[Randy Smith (Not in Mondays), 2015/06/15 19:19:17]

I'd rewrite this a bit to explicitly acknowledge that ALLOW_ON_USER_GESTURE
isn't a reliable security guarantee, more of a speed bump.

[asanka, 2015/06/16 19:23:42]

Yup. I moved the general overview over to download_extensions.h since that, IMO,
should be part of the public interface. I left the comment about specific
criteria here.

+  // download, they should be able to choose when or if the file should be

[Randy Smith (Not in Mondays), 2015/06/15 19:19:17]

The issue is whether they should be forced to rather than whether they be able
to choose to, right?

[asanka, 2015/06/16 19:23:42]

Yeah. Clarified.

+  // opened by the default handler if the file type is dangerous.
+  //
+  // Criteria for disallowing a file type from opening automatically:
   //
-  // Flash files downloaded locally can sometimes access the local filesystem.
-  { "swf", DANGEROUS },
-  { "spl", DANGEROUS },
-  // Chrome extensions should be obtained through the web store.
-  { "crx", ALLOW_ON_USER_GESTURE },
+  // Includes file types that upon opening may either:
+  //   * ... execute arbitrary or harmful code with user privileges.
+  //   * ... change configuration of the system to cause harmful behavior
+  //     immediately or at some time in the future.
+  //
+  // Doesn't include file types that upon opening:
+  //   * ... sufficiently warn the user about the fact that:
+  //     - This file was downloaded from the internet.
+  //     - Opening it can make specified changes to the system.
+  //     (Note that any such warnings need to be displayed prior to the harmful
+  //     logic being executed).
+  //   * ... does nothing particularly dangerous, despite the act of downloading
+  //     itself being dangerous (E.g. .local and .manifest files).
+  DISALLOW_AUTO_OPEN,
+};
+
+const struct FileType {
+  const char* extension;  // Extension sans leading extension separator.
+  DownloadDangerLevel danger_level;
+  DownloadAutoOpenHint auto_open_hint;
+} kDownloadFileTypes[] = {
+    // Some files are dangerous on all platforms.

[Randy Smith (Not in Mondays), 2015/06/15 19:19:17]

I really like the addition of detailed comments to this list.  Of course, the
addition of those comments makes sharper the lack of comments for some file
types.  Not as part of this CL, but maybe long-term we should have a goal of
commenting all lines in this list?  WDYT?

[asanka, 2015/06/16 19:23:42]

Agree completely. I'll fill in the blanks that I'm comfortable with and add a
comment that all future additions should include a justification.

+
+    // Flash files downloaded locally can sometimes access the local filesystem.
+    {"swf", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"spl", DANGEROUS, DISALLOW_AUTO_OPEN},
+
+    // Chrome extensions should be obtained through the web store. Allowed to
+    // open automatically because Chrome displays a prompt prior to
+    // installation.
+    {"crx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
   // Windows, all file categories.
 #if defined(OS_WIN)
-  { "ad", ALLOW_ON_USER_GESTURE },
-  { "ade", ALLOW_ON_USER_GESTURE },
-  { "adp", ALLOW_ON_USER_GESTURE },
-  { "app", ALLOW_ON_USER_GESTURE },
-  { "application", ALLOW_ON_USER_GESTURE },
-  { "asp", ALLOW_ON_USER_GESTURE },
-  { "asx", ALLOW_ON_USER_GESTURE },
-  { "bas", ALLOW_ON_USER_GESTURE },
-  { "bat", ALLOW_ON_USER_GESTURE },
-  { "cfg", DANGEROUS },
-  { "chi", ALLOW_ON_USER_GESTURE },
-  { "chm", ALLOW_ON_USER_GESTURE },
-  { "cmd", ALLOW_ON_USER_GESTURE },
-  { "com", ALLOW_ON_USER_GESTURE },
-  { "cpl", ALLOW_ON_USER_GESTURE },
-  { "crt", ALLOW_ON_USER_GESTURE },
-  { "dll", DANGEROUS },
-  { "drv", DANGEROUS },
-  { "exe", ALLOW_ON_USER_GESTURE },
-  { "fxp", ALLOW_ON_USER_GESTURE },
-  { "grp", DANGEROUS },
-  { "hlp", ALLOW_ON_USER_GESTURE },
-  { "hta", ALLOW_ON_USER_GESTURE },
-  { "htt", ALLOW_ON_USER_GESTURE },
-  { "inf", ALLOW_ON_USER_GESTURE },
-  { "ini", DANGEROUS },
-  { "ins", ALLOW_ON_USER_GESTURE },
-  { "isp", ALLOW_ON_USER_GESTURE },
-  { "js", ALLOW_ON_USER_GESTURE },
-  { "jse", ALLOW_ON_USER_GESTURE },
-  { "lnk", ALLOW_ON_USER_GESTURE },
-  { "local", DANGEROUS },
-  { "mad", ALLOW_ON_USER_GESTURE },
-  { "maf", ALLOW_ON_USER_GESTURE },
-  { "mag", ALLOW_ON_USER_GESTURE },
-  { "mam", ALLOW_ON_USER_GESTURE },
-  { "manifest", DANGEROUS },
-  { "maq", ALLOW_ON_USER_GESTURE },
-  { "mar", ALLOW_ON_USER_GESTURE },
-  { "mas", ALLOW_ON_USER_GESTURE },
-  { "mat", ALLOW_ON_USER_GESTURE },
-  { "mau", ALLOW_ON_USER_GESTURE },
-  { "mav", ALLOW_ON_USER_GESTURE },
-  { "maw", ALLOW_ON_USER_GESTURE },
-  { "mda", ALLOW_ON_USER_GESTURE },
-  { "mdb", ALLOW_ON_USER_GESTURE },
-  { "mde", ALLOW_ON_USER_GESTURE },
-  { "mdt", ALLOW_ON_USER_GESTURE },
-  { "mdw", ALLOW_ON_USER_GESTURE },
-  { "mdz", ALLOW_ON_USER_GESTURE },
-  { "mht", ALLOW_ON_USER_GESTURE },
-  { "mhtml", ALLOW_ON_USER_GESTURE },
-  { "mmc", ALLOW_ON_USER_GESTURE },
-  { "mof", DANGEROUS },
-  { "msc", ALLOW_ON_USER_GESTURE },
-  { "msh", ALLOW_ON_USER_GESTURE },
-  { "mshxml", ALLOW_ON_USER_GESTURE },
-  { "msi", ALLOW_ON_USER_GESTURE },
-  { "msp", ALLOW_ON_USER_GESTURE },
-  { "mst", ALLOW_ON_USER_GESTURE },
-  { "ocx", DANGEROUS },
-  { "ops", ALLOW_ON_USER_GESTURE },
-  { "pcd", ALLOW_ON_USER_GESTURE },
-  { "pif", ALLOW_ON_USER_GESTURE },
-  { "plg", ALLOW_ON_USER_GESTURE },
-  { "prf", ALLOW_ON_USER_GESTURE },
-  { "prg", ALLOW_ON_USER_GESTURE },
-  { "pst", ALLOW_ON_USER_GESTURE },
-  { "reg", ALLOW_ON_USER_GESTURE },
-  { "scf", ALLOW_ON_USER_GESTURE },
-  { "scr", ALLOW_ON_USER_GESTURE },
-  { "sct", ALLOW_ON_USER_GESTURE },
-  { "shb", ALLOW_ON_USER_GESTURE },
-  { "shs", ALLOW_ON_USER_GESTURE },
-  { "sys", DANGEROUS },
-  { "url", DANGEROUS },
-  { "vb", ALLOW_ON_USER_GESTURE },
-  { "vbe", ALLOW_ON_USER_GESTURE },
-  { "vbs", ALLOW_ON_USER_GESTURE },
-  { "vsd", ALLOW_ON_USER_GESTURE },
-  { "vsmacros", ALLOW_ON_USER_GESTURE },
-  { "vss", ALLOW_ON_USER_GESTURE },
-  { "vst", ALLOW_ON_USER_GESTURE },
-  { "vsw", ALLOW_ON_USER_GESTURE },
-  { "ws", ALLOW_ON_USER_GESTURE },
-  { "wsc", ALLOW_ON_USER_GESTURE },
-  { "wsf", ALLOW_ON_USER_GESTURE },
-  { "wsh", ALLOW_ON_USER_GESTURE },
-  { "xbap", DANGEROUS },
+    {"ad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"ade", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"adp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"app", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft ClickOnce depolyment manifest. By default, opens with
+    // dfshim.dll which should prompt the user before running untrusted code.
+    {"application", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Active Server Pages source file.
+    {"asp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Advanced Stream Redirector. Contains a playlist of media files.
+    {"asx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft Visual Basic source file. Opens by default in an editor.
+    {"bas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Command script.
+    {"bat", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"cfg", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    // Windows Compiled HTML Help files.
+    {"chi", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"chm", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Command script.
+    {"cmd", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Windows legacy executable.
+    {"com", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Control panel tool. Executable.
+    {"cpl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Signed certificate file.
+    {"crt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Windows executables.
+    {"dll", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"drv", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"exe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"fxp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"grp", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    // Windows legacy help file format.
+    {"hlp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // HTML Application. Executes as a fully trusted application.
+    {"hta", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Hypertext Template File. See https://support.microsoft.com/kb/181689.
+    {"htt", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Device installation information.
+    {"inf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Generic configuration file.
+    {"ini", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    {"ins", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"isp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // JavaScript file. May open using Windows Script Host with user level
+    // privileges.
+    {"js", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"jse", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // Shortcuts. May open anything.
+    {"lnk", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // .local files affect DLL search path for .exe file with same base name.
+    {"local", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    {"mad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"maf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mag", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mam", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // While being a generic name, having a .manifest file with the same
+    // basename as .exe file (foo.exe + foo.exe.manifest) changes the dll search
+    // order for the .exe file. Downloading this kind of file to the users'
+    // download directory is almost always the wrong thing to do.
+    {"manifest", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    {"maq", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mar", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mat", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mau", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mav", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"maw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mda", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mdb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mde", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mdt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mdw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mdz", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Multipart HTML.
+    {"mht", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mhtml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    {"mmc", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mof", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    // Microsoft Management Console Snap-in. Contains executable code.
+    {"msc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"msh", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mshxml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Windows Installer
+    {"msi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"msp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"mst", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // ActiveX Control
+    {"ocx", DANGEROUS, ALLOW_AUTO_OPEN},
+
+    {"ops", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"pcd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Program Information File. Originally intended to configure execution
+    // environment for legacy DOS files. They aren't meant to contain executable
+    // code. But Windows may execute a PIF file that is sniffed as a PE file.
+    {"pif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"plg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"prf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"prg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"pst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Registry file. Opening may cause registry settings to change. Users still
+    // need to click through a prompt. So we could consider relaxing the
+    // DISALLOW_AUTO_OPEN restriction.
+    {"reg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"scf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // These are also executables.
+    {"scr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"sct", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"shb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"shs", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // System executable. Windows tries hard to prevent you from opening these
+    // types of files.
+    {"sys", DANGEROUS, DISALLOW_AUTO_OPEN},
+
+    // Internet Shortcut.
+    {"url", DANGEROUS, DISALLOW_AUTO_OPEN},
+
+    {"vb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // VBScript files. My open with Windows Script Host and execute with user
+    // privileges.
+    {"vbe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"vbs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    {"vsd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"vsmacros", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"vss", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"vst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"vsw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Windows Script Host related.
+    {"ws", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"wsc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"wsf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"wsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // XAML Browser Application.
+    {"xbap", DANGEROUS, DISALLOW_AUTO_OPEN},
 #endif  // OS_WIN
 
   // Java.
 #if !defined(OS_CHROMEOS)
-  { "class", DANGEROUS },
-  { "jar", DANGEROUS },
-  { "jnlp", DANGEROUS },
+    {"class", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"jar", DANGEROUS, DISALLOW_AUTO_OPEN},
+    {"jnlp", DANGEROUS, DISALLOW_AUTO_OPEN},
 #endif
 
   // Scripting languages. (Shells are handled below.)
 #if !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
-  { "pl", ALLOW_ON_USER_GESTURE },
-  { "py", ALLOW_ON_USER_GESTURE },
-  { "pyc", ALLOW_ON_USER_GESTURE },
-  { "pyw", ALLOW_ON_USER_GESTURE },
-  { "rb", ALLOW_ON_USER_GESTURE },
+    {"pl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"py", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"pyc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"pyw", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"rb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 
   // Shell languages. (OS_ANDROID is OS_POSIX.) OS_WIN shells are handled above.
 #if defined(OS_POSIX)
-  { "bash", ALLOW_ON_USER_GESTURE },
-  { "csh", ALLOW_ON_USER_GESTURE },
-  { "ksh", ALLOW_ON_USER_GESTURE },
-  { "sh", ALLOW_ON_USER_GESTURE },
-  { "shar", ALLOW_ON_USER_GESTURE },
-  { "tcsh", ALLOW_ON_USER_GESTURE },
+    {"bash", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"csh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"ksh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"sh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"shar", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"tcsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 #if defined(OS_MACOSX)
-  { "command", ALLOW_ON_USER_GESTURE },
+    {"command", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 
   // Package management formats. OS_WIN package formats are handled above.
 #if defined(OS_MACOSX) || defined(OS_LINUX)
-  { "pkg", ALLOW_ON_USER_GESTURE },
+    {"pkg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 #if defined(OS_LINUX)
-  { "deb", ALLOW_ON_USER_GESTURE },
-  { "rpm", ALLOW_ON_USER_GESTURE },
+    {"deb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"rpm", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 #if defined(OS_ANDROID)
-  { "dex", ALLOW_ON_USER_GESTURE },  // Really an executable format.
+    {"dex", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 #endif
 };
 
-DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
+// FileType for files with an empty extension.
+const FileType kEmptyFileType = {nullptr, NOT_DANGEROUS, DISALLOW_AUTO_OPEN};
+
+// Default FileType for non-empty extensions that aren't in the list above.
+const FileType kUnknownFileType = {nullptr, NOT_DANGEROUS, ALLOW_AUTO_OPEN};
+
+const FileType& GetFileType(const base::FilePath& path) {
   base::FilePath::StringType extension(path.FinalExtension());
   if (extension.empty())
-    return NOT_DANGEROUS;
+    return kEmptyFileType;
   if (!base::IsStringASCII(extension))
-    return NOT_DANGEROUS;
+    return kUnknownFileType;
 #if defined(OS_WIN)
   std::string ascii_extension = base::UTF16ToASCII(extension);
 #elif defined(OS_POSIX)
@@ -220,11 +358,22 @@ DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
   if (ascii_extension[0] == base::FilePath::kExtensionSeparator)
     ascii_extension.erase(0, 1);
 
-  for (size_t i = 0; i < arraysize(g_executables); ++i) {
-    if (base::LowerCaseEqualsASCII(ascii_extension, g_executables[i].extension))
-      return g_executables[i].level;
+  for (const auto& file_type : kDownloadFileTypes) {
+    if (base::LowerCaseEqualsASCII(ascii_extension, file_type.extension))
+      return file_type;
   }
-  return NOT_DANGEROUS;
+
+  return kUnknownFileType;
+}
+
+}  // namespace
+
+DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
+  return GetFileType(path).danger_level;
+}
+
+bool IsAllowedToOpenAutomatically(const base::FilePath& path) {
+  return GetFileType(path).auto_open_hint == ALLOW_AUTO_OPEN;
 }
 
 static const char* kExecutableWhiteList[] = {
@@ -260,5 +409,4 @@ bool IsExecutableMimeType(const std::string& mime_type) {
   return net::MatchesMimeType("application/*", mime_type);
 }
 
-
 }  // namespace download_util