[Downloads] Consider Windows PowerShell file types as dangerous.

chrome/browser/download/download_extensions.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include <set>
 #include <string>
 
 #include "chrome/browser/download/download_extensions.h"
 
 #include "base/strings/string_util.h"
@@ skipping 92 matching lines @@
 
     // Flash files downloaded locally can sometimes access the local filesystem.
     {"swf", DANGEROUS, DISALLOW_AUTO_OPEN},
     {"spl", DANGEROUS, DISALLOW_AUTO_OPEN},
 
     // Chrome extensions should be obtained through the web store. Allowed to
     // open automatically because Chrome displays a prompt prior to
     // installation.
     {"crx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
-  // Windows, all file categories.
+    // Windows, all file categories. The list is in alphabetical order of
+    // extensions. Exceptions are made for logical groupings of file types.
+    //
+    // Some file descriptions are based on
+    // https://support.office.com/article/Blocked-attachments-in-Outlook-3811cddc-17c3-4279-a30c-060ba0207372
 #if defined(OS_WIN)
     {"ad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"ade", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"adp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft Access related.
+    {"ade", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Project extension
+    {"adp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Project.
+    {"mad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Module Shortcut.
+    {"maf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"mag", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Diagram Shortcut.
+    {"mam", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Macro Shortcut.
+    {"maq", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Query Shortcut.
+    {"mar", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Report Shortcut.
+    {"mas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Stored Procedures.
+    {"mat", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Table Shortcut.
+    {"mav", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // View Shortcut.
+    {"maw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Data Access Page.
+    {"mda", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Access Add-in.
+    {"mdb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Database.
+    {"mde", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Database.
+    {"mdt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Add-in Data.
+    {"mdw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Workgroup Information.
+    {"mdz", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Wizard Template.
+
+    // Executable Application.
     {"app", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // Microsoft ClickOnce depolyment manifest. By default, opens with
     // dfshim.dll which should prompt the user before running untrusted code.
     {"application", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // Active Server Pages source file.
     {"asp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // Advanced Stream Redirector. Contains a playlist of media files.
@@ skipping 21 matching lines @@
     {"cpl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
     // Signed certificate file.
     {"crt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // Windows executables.
     {"dll", DANGEROUS, DISALLOW_AUTO_OPEN},
     {"drv", DANGEROUS, DISALLOW_AUTO_OPEN},
     {"exe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
+    // Microsoft FoxPro Compiled Source.
     {"fxp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
     {"grp", DANGEROUS, ALLOW_AUTO_OPEN},
 
     // Windows legacy help file format.
     {"hlp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // HTML Application. Executes as a fully trusted application.
     {"hta", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
     // Hypertext Template File. See https://support.microsoft.com/kb/181689.
     {"htt", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
     // Device installation information.
     {"inf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
     // Generic configuration file.
     {"ini", DANGEROUS, ALLOW_AUTO_OPEN},
 
+    // Microsoft IIS Internet Communication Settings.
     {"ins", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft IIS Internet Service Provider Settings.
     {"isp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // JavaScript file. May open using Windows Script Host with user level
     // privileges.
     {"js", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
+    // JScript encoded script file.
     {"jse", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
     // Shortcuts. May open anything.
     {"lnk", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
     // .local files affect DLL search path for .exe file with same base name.
     {"local", DANGEROUS, ALLOW_AUTO_OPEN},
 
-    {"mad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"maf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mag", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mam", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-
     // While being a generic name, having a .manifest file with the same
     // basename as .exe file (foo.exe + foo.exe.manifest) changes the dll search
     // order for the .exe file. Downloading this kind of file to the users'
     // download directory is almost always the wrong thing to do.
     {"manifest", DANGEROUS, ALLOW_AUTO_OPEN},
 
-    {"maq", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mar", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mat", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    // Media Attachment Unit.
     {"mau", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mav", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"maw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mda", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mdb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mde", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mdt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mdw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mdz", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // Multipart HTML.
     {"mht", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
     {"mhtml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     {"mmc", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
     {"mof", DANGEROUS, ALLOW_AUTO_OPEN},
 
     // Microsoft Management Console Snap-in. Contains executable code.
     {"msc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
-    {"msh", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
-    {"mshxml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    // Microsoft Shell.
+    {"msh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"msh1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"msh2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"mshxml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"msh1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"msh2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
-    // Windows Installer
+    // Windows Installer.
     {"msi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
     {"msp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
     {"mst", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
-    // ActiveX Control
+    // ActiveX Control.
     {"ocx", DANGEROUS, ALLOW_AUTO_OPEN},

[palmer, 2015/07/07 20:54:42]

This seems wrong.

[asanka, 2015/07/07 22:40:53]

Changed to DISALLOW_AUTO_OPEN.

 
+    // Microsoft Office Profile Settings File.
     {"ops", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft Visual Test.
     {"pcd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // Program Information File. Originally intended to configure execution
     // environment for legacy DOS files. They aren't meant to contain executable
     // code. But Windows may execute a PIF file that is sniffed as a PE file.
     {"pif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
+    // Developer Studio Build Log.
     {"plg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Windows System File.
     {"prf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Program File.
     {"prg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft Exchange Address Book File. Microsoft Outlook Personal Folder
+    // File.
     {"pst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
+    // Microsoft Windows PowerShell.
+    {"ps1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"ps1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"ps2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"ps2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"psc1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+    {"psc2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
+
     // Registry file. Opening may cause registry settings to change. Users still
     // need to click through a prompt. So we could consider relaxing the
     // DISALLOW_AUTO_OPEN restriction.
     {"reg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
+    // Microsoft Windows Explorer Command.
     {"scf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
-    // These are also executables.
+    // Microsoft Windows Screen Saver.
     {"scr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
+    // Microsoft Windows Script Component. Microsoft FoxPro Screen.
     {"sct", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft Windows Shortcut into a document.
     {"shb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Shell Scrap Object File.
     {"shs", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
     // System executable. Windows tries hard to prevent you from opening these
     // types of files.
     {"sys", DANGEROUS, DISALLOW_AUTO_OPEN},
 
-    // Internet Shortcut. See description for .website below.
+    // Internet Shortcut (new since IE9). Both .url and .website are .ini files
+    // that describe a shortcut that points to a URL. They can point at
+    // anything. Dropping a download of this type and opening it automatically
+    // can in effect sidestep origin restrictions etc.

[Randy Smith (Not in Mondays), 2015/07/07 20:35:47]

nit, not even a suggestion: I do find myself thinking that "Obey the user's
wishes" should override the BB or small bullet opportunities to shoot oneself in
the foot, and sidestepping origin restriction feels like a small bullet (as
compared to shell/executable access, which feels like an exploding bullet that
could destroy the entire foot).  But you aren't changing the behavior in this
CL, and I don't feel strongly, so just mentioning the thought.

[asanka, 2015/07/07 22:40:53]

Acknowledged. Note that since SB now handles these file types, the DANGEROUS
flag doesn't apply whenever SB is enabled. The only effective restriction is
DISALLOW_AUTO_OPEN. Side-stepping origin restrictions also mean the possibility
of reaching into the user's file system, so auto opening before the user has an
opportunity to examine the file still involves a moderate amount of risk. The
auto-open restriction was put in place because of potential lack of opportunity
for the user to intervene.

     {"url", DANGEROUS, DISALLOW_AUTO_OPEN},
-
-    {"vb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+    {"website", DANGEROUS, DISALLOW_AUTO_OPEN},
 
     // VBScript files. My open with Windows Script Host and execute with user
     // privileges.
+    {"vb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
     {"vbe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
     {"vbs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
     {"vsd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft Visual Studio Binary-based Macro Project.
     {"vsmacros", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
     {"vss", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
     {"vst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
+
+    // Microsoft Visio Workspace.
     {"vsw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 
-    // Internet Shortcut (new since IE9). Both .url and .website are .ini files
-    // that describe a shortcut that points to a URL. They can point at
-    // anything. Dropping a download of this type and opening it automatically
-    // can in effect sidestep origin restrictions etc.
-    {"website", DANGEROUS, DISALLOW_AUTO_OPEN},
-
     // Windows Script Host related.
     {"ws", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
     {"wsc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
     {"wsf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
     {"wsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
 
     // XAML Browser Application.
     {"xbap", DANGEROUS, DISALLOW_AUTO_OPEN},
+
+    // Microsoft Exchange Public Folder Shortcut.
+    {"xnk", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
 #endif  // OS_WIN
 
   // Java.
 #if !defined(OS_CHROMEOS)
     {"class", DANGEROUS, DISALLOW_AUTO_OPEN},
     {"jar", DANGEROUS, DISALLOW_AUTO_OPEN},
     {"jnlp", DANGEROUS, DISALLOW_AUTO_OPEN},
 #endif
 
   // Scripting languages. (Shells are handled below.)
@@ skipping 65 matching lines @@
 
 DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
   return GetFileType(path).danger_level;
 }
 
 bool IsAllowedToOpenAutomatically(const base::FilePath& path) {
   return GetFileType(path).auto_open_hint == ALLOW_AUTO_OPEN;
 }
 
 }  // namespace download_util