OLD | NEW |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
4 | 4 |
5 #include "webkit/plugins/npapi/plugin_list.h" | 5 #include "webkit/plugins/npapi/plugin_list.h" |
6 | 6 |
7 #include <algorithm> | 7 #include <algorithm> |
8 | 8 |
9 #include "base/command_line.h" | 9 #include "base/command_line.h" |
10 #include "base/lazy_instance.h" | 10 #include "base/lazy_instance.h" |
11 #include "base/logging.h" | 11 #include "base/logging.h" |
12 #include "base/strings/string_split.h" | 12 #include "base/strings/string_split.h" |
13 #include "base/strings/string_util.h" | 13 #include "base/strings/string_util.h" |
14 #include "base/strings/sys_string_conversions.h" | 14 #include "base/strings/sys_string_conversions.h" |
15 #include "base/strings/utf_string_conversions.h" | 15 #include "base/strings/utf_string_conversions.h" |
16 #include "net/base/mime_util.h" | 16 #include "net/base/mime_util.h" |
17 #include "url/gurl.h" | 17 #include "url/gurl.h" |
18 #include "webkit/plugins/npapi/plugin_utils.h" | 18 #include "webkit/plugins/npapi/plugin_utils.h" |
19 #include "webkit/plugins/plugin_switches.h" | 19 #include "webkit/plugins/plugin_switches.h" |
20 | 20 |
21 #if defined(OS_WIN) | 21 #if defined(OS_WIN) |
22 #include "webkit/plugins/npapi/plugin_constants_win.h" | 22 #include "webkit/plugins/npapi/plugin_constants_win.h" |
23 #endif | 23 #endif |
24 | 24 |
25 namespace { | 25 namespace { |
26 | 26 |
27 using webkit::npapi::PluginList; | 27 using webkit::npapi::PluginList; |
28 | 28 |
29 const char kApplicationOctetStream[] = "application/octet-stream"; | |
30 | |
31 base::LazyInstance<PluginList> g_singleton = LAZY_INSTANCE_INITIALIZER; | 29 base::LazyInstance<PluginList> g_singleton = LAZY_INSTANCE_INITIALIZER; |
32 | 30 |
33 bool AllowMimeTypeMismatch(const std::string& orig_mime_type, | |
34 const std::string& actual_mime_type) { | |
35 if (orig_mime_type == actual_mime_type) { | |
36 NOTREACHED(); | |
37 return true; | |
38 } | |
39 | |
40 // We do not permit URL-sniff based plug-in MIME type overrides aside from | |
41 // the case where the "type" was initially missing or generic | |
42 // (application/octet-stream). | |
43 // We collected stats to determine this approach isn't a major compat issue, | |
44 // and we defend against content confusion attacks in various cases, such | |
45 // as when the user doesn't have the Flash plug-in enabled. | |
46 bool allow = orig_mime_type.empty() || | |
47 orig_mime_type == kApplicationOctetStream; | |
48 LOG_IF(INFO, !allow) << "Ignoring plugin with unexpected MIME type " | |
49 << actual_mime_type << " (expected " << orig_mime_type | |
50 << ")"; | |
51 return allow; | |
52 } | |
53 | |
54 } // namespace | 31 } // namespace |
55 | 32 |
56 namespace webkit { | 33 namespace webkit { |
57 namespace npapi { | 34 namespace npapi { |
58 | 35 |
59 // static | 36 // static |
60 PluginList* PluginList::Singleton() { | 37 PluginList* PluginList::Singleton() { |
61 return g_singleton.Pointer(); | 38 return g_singleton.Pointer(); |
62 } | 39 } |
63 | 40 |
(...skipping 332 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
396 base::FilePath path = plugins_list_[i].path; | 373 base::FilePath path = plugins_list_[i].path; |
397 if (visited_plugins.insert(path).second) { | 374 if (visited_plugins.insert(path).second) { |
398 info->push_back(plugins_list_[i]); | 375 info->push_back(plugins_list_[i]); |
399 if (actual_mime_types) | 376 if (actual_mime_types) |
400 actual_mime_types->push_back(mime_type); | 377 actual_mime_types->push_back(mime_type); |
401 } | 378 } |
402 } | 379 } |
403 } | 380 } |
404 | 381 |
405 // Add in plugins by url. | 382 // Add in plugins by url. |
| 383 // We do not permit URL-sniff based plug-in MIME type overrides aside from |
| 384 // the case where the "type" was initially missing. |
| 385 // We collected stats to determine this approach isn't a major compat issue, |
| 386 // and we defend against content confusion attacks in various cases, such |
| 387 // as when the user doesn't have the Flash plug-in enabled. |
406 std::string path = url.path(); | 388 std::string path = url.path(); |
407 std::string::size_type last_dot = path.rfind('.'); | 389 std::string::size_type last_dot = path.rfind('.'); |
408 if (last_dot != std::string::npos) { | 390 if (last_dot != std::string::npos && mime_type.empty()) { |
409 std::string extension = StringToLowerASCII(std::string(path, last_dot+1)); | 391 std::string extension = StringToLowerASCII(std::string(path, last_dot+1)); |
410 std::string actual_mime_type; | 392 std::string actual_mime_type; |
411 for (size_t i = 0; i < plugins_list_.size(); ++i) { | 393 for (size_t i = 0; i < plugins_list_.size(); ++i) { |
412 if (SupportsExtension(plugins_list_[i], extension, &actual_mime_type)) { | 394 if (SupportsExtension(plugins_list_[i], extension, &actual_mime_type)) { |
413 base::FilePath path = plugins_list_[i].path; | 395 base::FilePath path = plugins_list_[i].path; |
414 if (visited_plugins.insert(path).second && | 396 if (visited_plugins.insert(path).second) { |
415 AllowMimeTypeMismatch(mime_type, actual_mime_type)) { | |
416 info->push_back(plugins_list_[i]); | 397 info->push_back(plugins_list_[i]); |
417 if (actual_mime_types) | 398 if (actual_mime_types) |
418 actual_mime_types->push_back(actual_mime_type); | 399 actual_mime_types->push_back(actual_mime_type); |
419 } | 400 } |
420 } | 401 } |
421 } | 402 } |
422 } | 403 } |
423 } | 404 } |
424 | 405 |
425 bool PluginList::SupportsType(const webkit::WebPluginInfo& plugin, | 406 bool PluginList::SupportsType(const webkit::WebPluginInfo& plugin, |
(...skipping 29 matching lines...) Expand all Loading... |
455 } | 436 } |
456 return false; | 437 return false; |
457 } | 438 } |
458 | 439 |
459 PluginList::~PluginList() { | 440 PluginList::~PluginList() { |
460 } | 441 } |
461 | 442 |
462 | 443 |
463 } // namespace npapi | 444 } // namespace npapi |
464 } // namespace webkit | 445 } // namespace webkit |
OLD | NEW |