1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
8 #include "chrome/browser/download/download_extensions.h"
10 #include "base/strings/string_util.h"
11 #include "net/base/mime_util.h"
12 #include "net/base/net_util.h"
14 namespace download_util {
16 // For file extensions taken from mozilla:
18 /* ***** BEGIN LICENSE BLOCK *****
19 * Version: MPL 1.1/GPL 2.0/LGPL 2.1
21 * The contents of this file are subject to the Mozilla Public License Version
22 * 1.1 (the "License"); you may not use this file except in compliance with
23 * the License. You may obtain a copy of the License at
24 * http://www.mozilla.org/MPL/
26 * Software distributed under the License is distributed on an "AS IS" basis,
27 * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
28 * for the specific language governing rights and limitations under the
31 * The Original Code is Mozilla Communicator client code, released
34 * The Initial Developer of the Original Code is
35 * Netscape Communications Corporation.
36 * Portions created by the Initial Developer are Copyright (C) 1998-1999
37 * the Initial Developer. All Rights Reserved.
40 * Doug Turner <dougt@netscape.com>
41 * Dean Tessman <dean_tessman@hotmail.com>
42 * Brodie Thiesfield <brofield@jellycan.com>
43 * Jungshik Shin <jshin@i18nl10n.com>
45 * Alternatively, the contents of this file may be used under the terms of
46 * either of the GNU General Public License Version 2 or later (the "GPL"),
47 * or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
48 * in which case the provisions of the GPL or the LGPL are applicable instead
49 * of those above. If you wish to allow use of your version of this file only
50 * under the terms of either the GPL or the LGPL, and not to allow others to
51 * use your version of this file under the terms of the MPL, indicate your
52 * decision by deleting the provisions above and replace them with the notice
53 * and other provisions required by the GPL or the LGPL. If you do not delete
54 * the provisions above, a recipient may use your version of this file under
55 * the terms of any one of the MPL, the GPL or the LGPL.
57 * ***** END LICENSE BLOCK ***** */
59 static const struct Executables {
60 const char* extension;
61 DownloadDangerLevel level;
63 // Chrome OS does not suffer from some of the problems of older OS'es.
64 #if !defined(OS_CHROMEOS)
66 { "class", DANGEROUS },
68 { "jnlp", DANGEROUS },
70 #if !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
71 // Relating to scripting languages.
72 { "pl", ALLOW_ON_USER_GESTURE },
73 { "py", ALLOW_ON_USER_GESTURE },
74 { "pyc", ALLOW_ON_USER_GESTURE },
75 { "pyw", ALLOW_ON_USER_GESTURE },
76 { "rb", ALLOW_ON_USER_GESTURE },
78 // Some files are dangerous on all platforms.
79 // Flash files downloaded locally can sometimes access the local filesystem.
80 { "swf", ALLOW_ON_USER_GESTURE },
81 // Chrome extensions should be obtained through the web store.
82 { "crx", ALLOW_ON_USER_GESTURE },
83 // These types can run JavaScript (e.g. HTML and HTML-like).
84 // TODO(cevans): work out whether our restrictions on file:/// are strong
85 // enough to mark these types as no longer dangerous.
86 { "htm", ALLOW_ON_USER_GESTURE },
87 { "html", ALLOW_ON_USER_GESTURE },
88 { "shtm", ALLOW_ON_USER_GESTURE },
89 { "shtml", ALLOW_ON_USER_GESTURE },
90 { "svg", ALLOW_ON_USER_GESTURE },
91 { "xht", ALLOW_ON_USER_GESTURE },
92 { "xhtm", ALLOW_ON_USER_GESTURE },
93 { "xhtml", ALLOW_ON_USER_GESTURE },
94 { "xml", ALLOW_ON_USER_GESTURE },
95 { "xsl", ALLOW_ON_USER_GESTURE },
96 { "xslt", ALLOW_ON_USER_GESTURE },
98 { "ad", ALLOW_ON_USER_GESTURE },
99 { "ade", ALLOW_ON_USER_GESTURE },
100 { "adp", ALLOW_ON_USER_GESTURE },
101 { "app", ALLOW_ON_USER_GESTURE },
102 { "application", ALLOW_ON_USER_GESTURE },
103 { "asp", ALLOW_ON_USER_GESTURE },
104 { "asx", ALLOW_ON_USER_GESTURE },
105 { "bas", ALLOW_ON_USER_GESTURE },
106 { "bat", ALLOW_ON_USER_GESTURE },
107 { "cfg", DANGEROUS },
108 { "chi", ALLOW_ON_USER_GESTURE },
109 { "chm", ALLOW_ON_USER_GESTURE },
110 { "cmd", ALLOW_ON_USER_GESTURE },
111 { "com", ALLOW_ON_USER_GESTURE },
112 { "cpl", ALLOW_ON_USER_GESTURE },
113 { "crt", ALLOW_ON_USER_GESTURE },
114 { "dll", DANGEROUS },
115 { "drv", DANGEROUS },
116 { "exe", ALLOW_ON_USER_GESTURE },
117 { "fxp", ALLOW_ON_USER_GESTURE },
118 { "grp", DANGEROUS },
119 { "hlp", ALLOW_ON_USER_GESTURE },
120 { "hta", ALLOW_ON_USER_GESTURE },
121 { "htt", ALLOW_ON_USER_GESTURE },
122 { "inf", ALLOW_ON_USER_GESTURE },
123 { "ini", DANGEROUS },
124 { "ins", ALLOW_ON_USER_GESTURE },
125 { "isp", ALLOW_ON_USER_GESTURE },
126 { "js", ALLOW_ON_USER_GESTURE },
127 { "jse", ALLOW_ON_USER_GESTURE },
128 { "lnk", ALLOW_ON_USER_GESTURE },
129 { "local", DANGEROUS },
130 { "mad", ALLOW_ON_USER_GESTURE },
131 { "maf", ALLOW_ON_USER_GESTURE },
132 { "mag", ALLOW_ON_USER_GESTURE },
133 { "mam", ALLOW_ON_USER_GESTURE },
134 { "manifest", DANGEROUS },
135 { "maq", ALLOW_ON_USER_GESTURE },
136 { "mar", ALLOW_ON_USER_GESTURE },
137 { "mas", ALLOW_ON_USER_GESTURE },
138 { "mat", ALLOW_ON_USER_GESTURE },
139 { "mau", ALLOW_ON_USER_GESTURE },
140 { "mav", ALLOW_ON_USER_GESTURE },
141 { "maw", ALLOW_ON_USER_GESTURE },
142 { "mda", ALLOW_ON_USER_GESTURE },
143 { "mdb", ALLOW_ON_USER_GESTURE },
144 { "mde", ALLOW_ON_USER_GESTURE },
145 { "mdt", ALLOW_ON_USER_GESTURE },
146 { "mdw", ALLOW_ON_USER_GESTURE },
147 { "mdz", ALLOW_ON_USER_GESTURE },
148 { "mht", ALLOW_ON_USER_GESTURE },
149 { "mhtml", ALLOW_ON_USER_GESTURE },
150 { "mmc", ALLOW_ON_USER_GESTURE },
151 { "mof", DANGEROUS },
152 { "msc", ALLOW_ON_USER_GESTURE },
153 { "msh", ALLOW_ON_USER_GESTURE },
154 { "mshxml", ALLOW_ON_USER_GESTURE },
155 { "msi", ALLOW_ON_USER_GESTURE },
156 { "msp", ALLOW_ON_USER_GESTURE },
157 { "mst", ALLOW_ON_USER_GESTURE },
158 { "ocx", DANGEROUS },
159 { "ops", ALLOW_ON_USER_GESTURE },
160 { "pcd", ALLOW_ON_USER_GESTURE },
161 { "pif", ALLOW_ON_USER_GESTURE },
162 { "plg", ALLOW_ON_USER_GESTURE },
163 { "prf", ALLOW_ON_USER_GESTURE },
164 { "prg", ALLOW_ON_USER_GESTURE },
165 { "pst", ALLOW_ON_USER_GESTURE },
166 { "reg", ALLOW_ON_USER_GESTURE },
167 { "scf", ALLOW_ON_USER_GESTURE },
168 { "scr", ALLOW_ON_USER_GESTURE },
169 { "sct", ALLOW_ON_USER_GESTURE },
170 { "shb", ALLOW_ON_USER_GESTURE },
171 { "shs", ALLOW_ON_USER_GESTURE },
172 { "sys", DANGEROUS },
173 { "url", ALLOW_ON_USER_GESTURE },
174 // TODO(davidben): Remove this when double-extensions are no longer
176 { "user.js", ALLOW_ON_USER_GESTURE },
177 { "vb", ALLOW_ON_USER_GESTURE },
178 { "vbe", ALLOW_ON_USER_GESTURE },
179 { "vbs", ALLOW_ON_USER_GESTURE },
180 { "vsd", ALLOW_ON_USER_GESTURE },
181 { "vsmacros", ALLOW_ON_USER_GESTURE },
182 { "vss", ALLOW_ON_USER_GESTURE },
183 { "vst", ALLOW_ON_USER_GESTURE },
184 { "vsw", ALLOW_ON_USER_GESTURE },
185 { "ws", ALLOW_ON_USER_GESTURE },
186 { "wsc", ALLOW_ON_USER_GESTURE },
187 { "wsf", ALLOW_ON_USER_GESTURE },
188 { "wsh", ALLOW_ON_USER_GESTURE },
189 { "xbap", DANGEROUS },
190 #elif defined(OS_MACOSX)
191 { "bash", ALLOW_ON_USER_GESTURE },
192 { "command", ALLOW_ON_USER_GESTURE },
193 { "csh", ALLOW_ON_USER_GESTURE },
194 { "ksh", ALLOW_ON_USER_GESTURE },
195 { "pkg", ALLOW_ON_USER_GESTURE },
196 { "sh", ALLOW_ON_USER_GESTURE },
197 { "shar", ALLOW_ON_USER_GESTURE },
198 { "tcsh", ALLOW_ON_USER_GESTURE },
199 #elif defined(OS_ANDROID)
200 { "apk", ALLOW_ON_USER_GESTURE },
201 { "sh", ALLOW_ON_USER_GESTURE },
202 { "shar", ALLOW_ON_USER_GESTURE },
203 { "dex", ALLOW_ON_USER_GESTURE },
204 #elif defined(OS_POSIX)
205 // TODO(estade): lengthen this list.
206 { "bash", ALLOW_ON_USER_GESTURE },
207 { "csh", ALLOW_ON_USER_GESTURE },
208 { "deb", ALLOW_ON_USER_GESTURE },
209 { "exe", ALLOW_ON_USER_GESTURE },
210 { "ksh", ALLOW_ON_USER_GESTURE },
211 { "rpm", ALLOW_ON_USER_GESTURE },
212 { "sh", ALLOW_ON_USER_GESTURE },
213 { "shar", ALLOW_ON_USER_GESTURE },
214 { "tcsh", ALLOW_ON_USER_GESTURE },
218 DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
219 base::FilePath::StringType extension(path.Extension());
220 if (extension.empty())
221 return NOT_DANGEROUS;
222 if (!IsStringASCII(extension))
223 return NOT_DANGEROUS;
225 std::string ascii_extension = WideToASCII(extension);
226 #elif defined(OS_POSIX)
227 std::string ascii_extension = extension;
230 // Strip out leading dot if it's still there
231 if (ascii_extension[0] == base::FilePath::kExtensionSeparator)
232 ascii_extension.erase(0, 1);
234 for (size_t i = 0; i < arraysize(g_executables); ++i) {
235 if (LowerCaseEqualsASCII(ascii_extension, g_executables[i].extension))
236 return g_executables[i].level;
238 return NOT_DANGEROUS;
241 static const char* kExecutableWhiteList[] = {
242 // JavaScript is just as powerful as EXE.
244 "text/javascript;version=*",
246 // Registry files can cause critical changes to the MS OS behavior.
247 // Addition of this mimetype also addresses bug 7337.
250 // Some sites use binary/octet-stream to mean application/octet-stream.
251 // See http://code.google.com/p/chromium/issues/detail?id=1573
252 "binary/octet-stream"
255 static const char* kExecutableBlackList[] = {
256 // These application types are not executable.
261 bool IsExecutableMimeType(const std::string& mime_type) {
262 for (size_t i = 0; i < arraysize(kExecutableWhiteList); ++i) {
263 if (net::MatchesMimeType(kExecutableWhiteList[i], mime_type))
266 for (size_t i = 0; i < arraysize(kExecutableBlackList); ++i) {
267 if (net::MatchesMimeType(kExecutableBlackList[i], mime_type))
270 // We consider only other application types to be executable.
271 return net::MatchesMimeType("application/*", mime_type);
275 } // namespace download_util