OLD | NEW |
| (Empty) |
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <set> | |
6 #include <string> | |
7 | |
8 #include "chrome/browser/download/download_extensions.h" | |
9 | |
10 #include "base/macros.h" | |
11 #include "base/strings/string_util.h" | |
12 #include "base/strings/utf_string_conversions.h" | |
13 #include "build/build_config.h" | |
14 #include "net/base/mime_util.h" | |
15 | |
16 namespace download_util { | |
17 | |
18 namespace { | |
19 | |
20 enum DownloadAutoOpenHint { | |
21 ALLOW_AUTO_OPEN, | |
22 | |
23 // The file type should not be allowed to open automatically. | |
24 // | |
25 // Criteria for disallowing a file type from opening automatically: | |
26 // | |
27 // Includes file types that upon opening may either: | |
28 // * ... execute arbitrary or harmful code with user privileges. | |
29 // * ... change configuration of the system to cause harmful behavior | |
30 // immediately or at some time in the future. | |
31 // | |
32 // Doesn't include file types that upon opening: | |
33 // * ... sufficiently warn the user about the fact that: | |
34 // - This file was downloaded from the internet. | |
35 // - Opening it can make specified changes to the system. | |
36 // (Note that any such warnings need to be displayed prior to the harmful | |
37 // logic being executed). | |
38 // * ... does nothing particularly dangerous, despite the act of downloading | |
39 // itself being dangerous (E.g. .local and .manifest files). | |
40 DISALLOW_AUTO_OPEN, | |
41 }; | |
42 | |
43 // Guidelines for adding a new dangerous file type: | |
44 // | |
45 // * Include a comment above the file type that: | |
46 // - Describes the file type. | |
47 // - Justifies why it is considered dangerous if this isn't obvious from the | |
48 // description. | |
49 // - Justifies why the file type is disallowed from auto opening, if | |
50 // necessary. | |
51 // * Add the file extension to the kDangerousFileTypes array in | |
52 // download_stats.cc. | |
53 // | |
54 // TODO(asanka): All file types listed below should have descriptions. | |
55 const struct FileType { | |
56 const char* extension; // Extension sans leading extension separator. | |
57 DownloadDangerLevel danger_level; | |
58 DownloadAutoOpenHint auto_open_hint; | |
59 } kDownloadFileTypes[] = { | |
60 // Some files are dangerous on all platforms. | |
61 | |
62 // Flash files downloaded locally can sometimes access the local filesystem. | |
63 {"swf", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
64 {"spl", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
65 | |
66 // Chrome extensions should be obtained through the web store. Allowed to | |
67 // open automatically because Chrome displays a prompt prior to | |
68 // installation. | |
69 {"crx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
70 | |
71 // Included for parity with kSafeBrowsingFileTypes. | |
72 {"bin", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
73 {"rtf", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
74 | |
75 // Archive file types. Not inherently dangerous, but could contain dangerous | |
76 // files. Included for parity with kSafeBrowsingFileTypes. | |
77 {"001", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
78 {"7z", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
79 {"ace", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
80 {"arc", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
81 {"arj", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
82 {"b64", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
83 {"balz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
84 {"bhx", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
85 {"bz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
86 {"bz2", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
87 {"bzip2", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
88 {"cab", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
89 {"cpio", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
90 {"fat", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
91 {"gz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
92 {"gzip", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
93 {"hfs", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
94 {"hqx", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
95 {"iso", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
96 {"lha", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
97 {"lpaq1", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
98 {"lpaq5", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
99 {"lpaq8", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
100 {"lzh", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
101 {"lzma", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
102 {"mim", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
103 {"ntfs", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
104 {"paq8f", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
105 {"paq8jd", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
106 {"paq8l", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
107 {"paq8o", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
108 {"pea", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
109 {"quad", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
110 {"r00", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
111 {"r01", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
112 {"r02", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
113 {"r03", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
114 {"r04", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
115 {"r05", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
116 {"r06", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
117 {"r07", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
118 {"r08", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
119 {"r09", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
120 {"r10", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
121 {"r11", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
122 {"r12", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
123 {"r13", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
124 {"r14", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
125 {"r15", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
126 {"r16", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
127 {"r17", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
128 {"r18", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
129 {"r19", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
130 {"r20", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
131 {"r21", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
132 {"r22", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
133 {"r23", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
134 {"r24", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
135 {"r25", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
136 {"r26", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
137 {"r27", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
138 {"r28", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
139 {"r29", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
140 {"rar", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
141 {"squashfs", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
142 {"swm", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
143 {"tar", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
144 {"taz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
145 {"tbz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
146 {"tbz2", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
147 {"tgz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
148 {"tpz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
149 {"txz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
150 {"tz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
151 {"udf", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
152 {"uu", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
153 {"uue", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
154 {"vhd", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
155 {"vhdx", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, // Opens in IE, drops MOTW | |
156 {"vmdk", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
157 {"wim", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
158 {"wrc", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
159 {"xar", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
160 {"xxe", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
161 {"xz", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
162 {"z", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
163 {"zip", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
164 {"zipx", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
165 {"zpaq", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
166 | |
167 // Windows, all file categories. The list is in alphabetical order of | |
168 // extensions. Exceptions are made for logical groupings of file types. | |
169 // | |
170 // Some file descriptions are based on | |
171 // https://support.office.com/article/Blocked-attachments-in-Outlook-3811cdd
c-17c3-4279-a30c-060ba0207372 | |
172 #if defined(OS_WIN) | |
173 {"ad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
174 | |
175 // Microsoft Access related. | |
176 {"ade", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Project extension | |
177 {"adp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Project. | |
178 {"mad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Module Shortcut. | |
179 {"maf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
180 {"mag", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Diagram Shortcut. | |
181 {"mam", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Macro Shortcut. | |
182 {"maq", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Query Shortcut. | |
183 {"mar", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Report Shortcut. | |
184 {"mas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Stored Procedures. | |
185 {"mat", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Table Shortcut. | |
186 {"mav", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // View Shortcut. | |
187 {"maw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Data Access Page. | |
188 {"mda", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Access Add-in. | |
189 {"mdb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Database. | |
190 {"mde", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Database. | |
191 {"mdt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Add-in Data. | |
192 {"mdw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Workgroup Information. | |
193 {"mdz", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, // Wizard Template. | |
194 | |
195 // Executable Application. | |
196 {"app", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
197 | |
198 // Microsoft ClickOnce depolyment manifest. By default, opens with | |
199 // dfshim.dll which should prompt the user before running untrusted code. | |
200 {"application", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
201 // ClickOnce application reference. Basically a .lnk for ClickOnce apps. | |
202 {"appref-ms", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
203 | |
204 // Active Server Pages source file. | |
205 {"asp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
206 | |
207 // Advanced Stream Redirector. Contains a playlist of media files. | |
208 {"asx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
209 | |
210 // Microsoft Visual Basic source file. Opens by default in an editor. | |
211 {"bas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
212 | |
213 // Command script. | |
214 {"bat", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
215 | |
216 {"cfg", DANGEROUS, ALLOW_AUTO_OPEN}, | |
217 | |
218 // Windows Compiled HTML Help files. | |
219 {"chi", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
220 {"chm", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
221 | |
222 // Command script. | |
223 {"cmd", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
224 | |
225 // Windows legacy executable. | |
226 {"com", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
227 | |
228 // Control panel tool. Executable. | |
229 {"cpl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
230 | |
231 // Signed certificate file. | |
232 {"crt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
233 | |
234 // Windows executables. | |
235 {"dll", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
236 {"drv", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
237 | |
238 // Opens in Outlook. Not common, but could be exploited (CVE-2015-6172) | |
239 {"eml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
240 | |
241 // Windows executable | |
242 {"exe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
243 | |
244 // Font file, uses Portable Executable or New Executable format. Not | |
245 // supposed to contain executable code. | |
246 {"fon", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
247 | |
248 // Microsoft FoxPro Compiled Source. | |
249 {"fxp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
250 | |
251 // Windows Sidebar Gadget (Vista & Win 7). ZIP archive containing html + js. | |
252 // Deprecated by Microsoft. Can run arbitrary code with user privileges. | |
253 // (https://technet.microsoft.com/library/security/2719662) | |
254 {"gadget", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
255 | |
256 // MSProgramGroup (?). | |
257 {"grp", DANGEROUS, ALLOW_AUTO_OPEN}, | |
258 | |
259 // Windows legacy help file format. | |
260 {"hlp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
261 | |
262 // HTML Application. Executes as a fully trusted application. | |
263 {"hta", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
264 | |
265 // Hypertext Template File. See https://support.microsoft.com/kb/181689. | |
266 {"htt", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
267 | |
268 // Device installation information. | |
269 {"inf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
270 | |
271 // Generic configuration file. | |
272 {"ini", DANGEROUS, ALLOW_AUTO_OPEN}, | |
273 | |
274 // Microsoft IIS Internet Communication Settings. | |
275 {"ins", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
276 | |
277 // InstallShield Compiled Script. | |
278 {"inx", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
279 | |
280 // InstallShield Uninstaller Script. | |
281 {"isu", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
282 | |
283 // Microsoft IIS Internet Service Provider Settings. | |
284 {"isp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
285 | |
286 // Windows Task Scheduler Job file. No handler is registered by default, so | |
287 // this is probably normally not dangerous unless saved into the task | |
288 // scheduler directory. | |
289 {"job", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
290 | |
291 // JavaScript file. May open using Windows Script Host with user level | |
292 // privileges. | |
293 {"js", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
294 | |
295 // JScript encoded script file. Usually produced by running Microsoft Script | |
296 // Encoder over a .js file. | |
297 // See https://msdn.microsoft.com/library/d14c8zsc.aspx | |
298 {"jse", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
299 | |
300 // Shortcuts. May open anything. | |
301 {"lnk", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
302 | |
303 // .local files affect DLL search path for .exe file with same base name. | |
304 {"local", DANGEROUS, ALLOW_AUTO_OPEN}, | |
305 | |
306 // While being a generic name, having a .manifest file with the same | |
307 // basename as .exe file (foo.exe + foo.exe.manifest) changes the dll search | |
308 // order for the .exe file. Downloading this kind of file to the users' | |
309 // download directory is almost always the wrong thing to do. | |
310 {"manifest", DANGEROUS, ALLOW_AUTO_OPEN}, | |
311 | |
312 // Media Attachment Unit. | |
313 {"mau", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
314 | |
315 // Multipart HTML. | |
316 {"mht", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
317 {"mhtml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
318 | |
319 {"mmc", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
320 {"mof", DANGEROUS, ALLOW_AUTO_OPEN}, | |
321 | |
322 // Microsoft Management Console Snap-in. Contains executable code. | |
323 {"msc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
324 | |
325 // Opens in Outlook. Not common, but could be exploited (CVE-2015-6172) | |
326 {"msg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
327 | |
328 // Microsoft Shell. | |
329 {"msh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
330 {"msh1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
331 {"msh2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
332 {"mshxml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
333 {"msh1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
334 {"msh2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
335 | |
336 // Windows Installer. | |
337 {"msi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
338 {"msp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
339 {"mst", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
340 | |
341 // ActiveX Control. | |
342 {"ocx", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
343 | |
344 // Microsoft Office Profile Settings File. | |
345 {"ops", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
346 | |
347 // Portable Application Installer File. | |
348 {"paf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
349 | |
350 // Extensions that will open in IE even when chrome is set as default | |
351 // browser. | |
352 {"partial", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
353 {"xrm-ms", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
354 {"rels", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
355 {"svg", NOT_DANGEROUS, ALLOW_AUTO_OPEN}, | |
356 {"xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
357 {"xsl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
358 | |
359 // Microsoft Visual Test. | |
360 {"pcd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
361 | |
362 // Program Information File. Originally intended to configure execution | |
363 // environment for legacy DOS files. They aren't meant to contain executable | |
364 // code. But Windows may execute a PIF file that is sniffed as a PE file. | |
365 {"pif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
366 | |
367 // Developer Studio Build Log. | |
368 {"plg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
369 | |
370 // Windows System File. | |
371 {"prf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
372 | |
373 // Program File. | |
374 {"prg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
375 | |
376 // Microsoft Exchange Address Book File. Microsoft Outlook Personal Folder | |
377 // File. | |
378 {"pst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
379 | |
380 // Microsoft Windows PowerShell. | |
381 {"ps1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
382 {"ps1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
383 {"ps2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
384 {"ps2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
385 {"psc1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
386 {"psc2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
387 | |
388 // Registry file. Opening may cause registry settings to change. Users still | |
389 // need to click through a prompt. So we could consider relaxing the | |
390 // DISALLOW_AUTO_OPEN restriction. | |
391 {"reg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
392 | |
393 // Registry Script Windows. | |
394 {"rgs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
395 | |
396 // Microsoft Windows Explorer Command. | |
397 // See https://support.microsoft.com/kb/190355 for an example. | |
398 {"scf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
399 | |
400 // Microsoft Windows Screen Saver. | |
401 {"scr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
402 | |
403 // Microsoft Windows Script Component. Microsoft FoxPro Screen. | |
404 // A Script Component is a COM component created using script. | |
405 // See https://msdn.microsoft.com/library/aa233148.aspx for an example. | |
406 {"sct", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
407 | |
408 // Microsoft Windows Shortcut into a document. | |
409 // See https://support.microsoft.com/kb/212344 | |
410 {"shb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
411 | |
412 // Shell Scrap Object File. | |
413 {"shs", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
414 | |
415 // System executable. Windows tries hard to prevent you from opening these | |
416 // types of files. | |
417 {"sys", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
418 | |
419 // U3 Smart Application. | |
420 {"u3p", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
421 | |
422 // Internet Shortcut (new since IE9). Both .url and .website are .ini files | |
423 // that describe a shortcut that points to a URL. They can point at | |
424 // anything. Dropping a download of this type and opening it automatically | |
425 // can in effect sidestep origin restrictions etc. | |
426 {"url", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
427 {"website", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
428 | |
429 // VBScript files. My open with Windows Script Host and execute with user | |
430 // privileges. | |
431 {"vb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
432 {"vbe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
433 {"vbs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
434 // Some sites claim .vbscript is a valid extension for vbs files. | |
435 {"vbscript", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
436 | |
437 {"vsd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
438 | |
439 // Microsoft Visual Studio Binary-based Macro Project. | |
440 {"vsmacros", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
441 | |
442 {"vss", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
443 {"vst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
444 | |
445 // Microsoft Visio Workspace. | |
446 {"vsw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
447 | |
448 // Windows Script Host related. | |
449 {"ws", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
450 {"wsc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
451 {"wsf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
452 {"wsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
453 | |
454 // XAML Browser Application. | |
455 {"xbap", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
456 | |
457 // Microsoft Exchange Public Folder Shortcut. | |
458 {"xnk", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN}, | |
459 | |
460 // Windows Vista Index Search Data, for local file system. | |
461 // Used to find files landed surreptitiously w/o UI. | |
462 {"search-ms", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
463 #endif // OS_WIN | |
464 | |
465 // Java. | |
466 #if !defined(OS_CHROMEOS) | |
467 {"class", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
468 {"jar", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
469 {"jnlp", DANGEROUS, DISALLOW_AUTO_OPEN}, | |
470 #endif | |
471 | |
472 #if !defined(OS_CHROMEOS) && !defined(OS_ANDROID) | |
473 // Scripting languages. (Shells are handled below.) | |
474 {"pl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
475 {"py", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
476 {"pyc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
477 {"pyw", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
478 {"rb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
479 | |
480 // Extensible Firmware Interface executable. | |
481 {"efi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
482 #endif | |
483 | |
484 // Shell languages. (OS_ANDROID is OS_POSIX.) OS_WIN shells are handled above. | |
485 #if defined(OS_POSIX) | |
486 {"bash", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
487 {"csh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
488 {"ksh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
489 {"sh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
490 {"shar", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
491 {"tcsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
492 #endif | |
493 #if defined(OS_MACOSX) | |
494 // Automator Action. | |
495 {"action", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
496 | |
497 {"command", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
498 | |
499 // Automator Workflow. | |
500 {"workflow", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
501 | |
502 // Executable file extensions for Mac. | |
503 {"cdr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
504 {"dart", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
505 {"dc42", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
506 {"diskcopy42", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
507 {"dmg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
508 {"dmgpart", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
509 {"dvdr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
510 {"img", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
511 {"imgpart", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
512 {"ndif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
513 {"smi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
514 {"sparsebundle", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
515 {"sparseimage", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
516 {"toast", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
517 {"udif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
518 #endif | |
519 | |
520 // Package management formats. OS_WIN package formats are handled above. | |
521 #if defined(OS_MACOSX) || defined(OS_LINUX) | |
522 {"pkg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
523 #endif | |
524 #if defined(OS_LINUX) | |
525 {"deb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
526 {"pet", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
527 {"pup", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
528 {"rpm", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
529 {"slp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
530 | |
531 // "common" executable file extensions for linux. There's not really much | |
532 // reason to block since they require execute bit to actually run. Included | |
533 // for histograms and to match kSafeBrowsingFileTypes. | |
534 {"out", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
535 {"run", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
536 #endif | |
537 #if defined(OS_ANDROID) | |
538 {"dex", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN}, | |
539 #endif | |
540 }; | |
541 | |
542 // FileType for files with an empty extension. | |
543 const FileType kEmptyFileType = {nullptr, NOT_DANGEROUS, DISALLOW_AUTO_OPEN}; | |
544 | |
545 // Default FileType for non-empty extensions that aren't in the list above. | |
546 const FileType kUnknownFileType = {nullptr, NOT_DANGEROUS, ALLOW_AUTO_OPEN}; | |
547 | |
548 const FileType& GetFileType(const base::FilePath& path) { | |
549 base::FilePath::StringType extension(path.FinalExtension()); | |
550 if (extension.empty()) | |
551 return kEmptyFileType; | |
552 if (!base::IsStringASCII(extension)) | |
553 return kUnknownFileType; | |
554 #if defined(OS_WIN) | |
555 std::string ascii_extension = base::UTF16ToASCII(extension); | |
556 #elif defined(OS_POSIX) | |
557 std::string ascii_extension = extension; | |
558 #endif | |
559 | |
560 // Strip out leading dot if it's still there | |
561 if (ascii_extension[0] == base::FilePath::kExtensionSeparator) | |
562 ascii_extension.erase(0, 1); | |
563 | |
564 for (const auto& file_type : kDownloadFileTypes) { | |
565 if (base::LowerCaseEqualsASCII(ascii_extension, file_type.extension)) | |
566 return file_type; | |
567 } | |
568 | |
569 return kUnknownFileType; | |
570 } | |
571 | |
572 } // namespace | |
573 | |
574 DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) { | |
575 return GetFileType(path).danger_level; | |
576 } | |
577 | |
578 bool IsAllowedToOpenAutomatically(const base::FilePath& path) { | |
579 return GetFileType(path).auto_open_hint == ALLOW_AUTO_OPEN; | |
580 } | |
581 | |
582 } // namespace download_util | |
OLD | NEW |