FileURLToFilePath: Don't unescape '/' and '\\'.

net/base/escape.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef NET_BASE_ESCAPE_H_
 #define NET_BASE_ESCAPE_H_
 
 #include <stdint.h>
 
 #include <string>
@@ skipping 60 matching lines @@
 
   enum {
     // Don't unescape anything at all.
     NONE = 0,
 
     // Don't unescape anything special, but all normal unescaping will happen.
     // This is a placeholder and can't be combined with other flags (since it's
     // just the absence of them). All other unescape rules imply "normal" in
     // addition to their special meaning. Things like escaped letters, digits,
     // and most symbols will get unescaped with this mode.
-    NORMAL = 1,
+    NORMAL = 1 << 0,
 
     // Convert %20 to spaces. In some places where we're showing URLs, we may
     // want this. In places where the URL may be copied and pasted out, then
     // you wouldn't want this since it might not be interpreted in one piece
     // by other applications.
-    SPACES = 2,
+    SPACES = 1 << 1,
+
+    // Unescapes '/' and '\\'. If these characters were unescaped, the resulting
+    // URL won't be the same as the source one. Moreover, they are dangerous to
+    // unescape in strings that will be used as file paths or names. This value
+    // should be used rarely, and only with extreme caution.

[brettw, 2016/02/22 23:33:24]

I think it would be worth mentioning here that the normal use-case for this is
for URLs that don't assign meaning to a path like data URLs. Otherwise this
comment seems overly discouraging of this type of use-case.

[mmenke, 2016/02/23 15:59:39]

Done

+    PATH_SEPARATORS = 1 << 2,
 
     // Unescapes various characters that will change the meaning of URLs,
-    // including '%', '+', '&', '/', '#'. If we unescaped these characters, the
-    // resulting URL won't be the same as the source one. This flag is used when
-    // generating final output like filenames for URLs where we won't be
-    // interpreting as a URL and want to do as much unescaping as possible.
-    URL_SPECIAL_CHARS = 4,
+    // including '%', '+', '&', '#'. Does not unescape path separators.
+    // If these characters were unescaped, the resulting URL won't be the same
+    // as the source one. This flag is used when generating final output like
+    // filenames for URLs where we won't be interpreting as a URL and want to do
+    // as much unescaping as possible.
+    URL_SPECIAL_CHARS_EXCEPT_PATH_SEPARATORS = 1 << 3,
+
+    // A combination of URL_SPECIAL_CHARS_EXCEPT_PATH_SEPARATORS and
+    // PATH_SEPARATORS. Warning about the use of PATH_SEPARATORS also apply
+    // here.
+    // TODO(mmenke):  Audit all uses of this and replace with the above values,
+    // as needed.
+    URL_SPECIAL_CHARS =
+        PATH_SEPARATORS | URL_SPECIAL_CHARS_EXCEPT_PATH_SEPARATORS,
 
     // Unescapes characters that can be used in spoofing attempts (such as LOCK)
     // and control characters (such as BiDi control characters and %01).  This
     // INCLUDES NULLs.  This is used for rare cases such as data: URL decoding
     // where the result is binary data.
     //
     // DO NOT use SPOOFING_AND_CONTROL_CHARS if the URL is going to be displayed
     // in the UI for security reasons.
-    SPOOFING_AND_CONTROL_CHARS = 8,
+    SPOOFING_AND_CONTROL_CHARS = 1 << 4,
 
     // URL queries use "+" for space. This flag controls that replacement.
-    REPLACE_PLUS_WITH_SPACE = 16,
+    REPLACE_PLUS_WITH_SPACE = 1 << 5,
   };
 };
 
 // Unescapes |escaped_text| and returns the result.
 // Unescaping consists of looking for the exact pattern "%XX", where each X is
 // a hex digit, and converting to the character with the numerical value of
 // those digits. Thus "i%20=%203%3b" unescapes to "i = 3;".
 //
 // Watch out: this doesn't necessarily result in the correct final result,
 // because the encoding may be unknown. For example, the input might be ASCII,
@@ skipping 20 matching lines @@
     UnescapeRule::Type rules,
     base::OffsetAdjuster::Adjustments* adjustments);
 
 // Unescapes the following ampersand character codes from |text|:
 // &lt; &gt; &amp; &quot; &#39;
 NET_EXPORT base::string16 UnescapeForHTML(const base::string16& text);
 
 }  // namespace net
 
 #endif  // NET_BASE_ESCAPE_H_