Prevent asking for authorization to run whitelisted plugins.

BUG=80737
TEST=Whitelist a plugin (by adding it to the EnabledPlugins policy) that is outdated or that required authorization to run (e.g. Java). When it is whitelisted, it won't ask for permission to run.

Review URL: http://codereview.chromium.org/6883237

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@83505 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 48 insertions, 0 deletions

diff --git a/webkit/plugins/npapi/plugin_group.cc b/webkit/plugins/npapi/plugin_group.cc
index b86a7bb..537b204 100644
--- a/webkit/plugins/npapi/plugin_group.cc
+++ b/webkit/plugins/npapi/plugin_group.cc
@@ -471,8 +471,20 @@ bool PluginGroup::IsPluginOutdated(const Version& plugin_version,
   return false;
 }
 
+bool PluginGroup::IsWhitelisted() const {
+  for (size_t i = 0; i < web_plugin_infos_.size(); ++i) {
+    if (web_plugin_infos_[i].enabled & WebPluginInfo::POLICY_ENABLED)
+      return true;
+  }
+  return false;
+}
+
 // Returns true if the latest version of this plugin group is vulnerable.
 bool PluginGroup::IsVulnerable() const {
+  // A plugin isn't considered vulnerable if it's explicitly whitelisted.
+  if (IsWhitelisted())
+    return false;
+
   for (size_t i = 0; i < version_ranges_.size(); ++i) {
     if (IsPluginOutdated(*version_, version_ranges_[i]))
       return true;
@@ -481,6 +493,10 @@ bool PluginGroup::IsVulnerable() const {
 }
 
 bool PluginGroup::RequiresAuthorization() const {
+  // A plugin doesn't require authorization if it's explicitly whitelisted.
+  if (IsWhitelisted())
+    return false;
+
   for (size_t i = 0; i < version_ranges_.size(); ++i) {
     if (IsVersionInRange(*version_, version_ranges_[i]) &&
         version_ranges_[i].requires_authorization)
diff --git a/webkit/plugins/npapi/plugin_group.h b/webkit/plugins/npapi/plugin_group.h
index 7a3bf04..fa6a16b 100644
--- a/webkit/plugins/npapi/plugin_group.h
+++ b/webkit/plugins/npapi/plugin_group.h
@@ -174,6 +174,9 @@ class PluginGroup {
   // Returns the update URL.
   std::string GetUpdateURL() const { return update_url_; }
 
+  // Returns true if this plugin group is whitelisted.
+  bool IsWhitelisted() const;
+
   // Returns true if the highest-priority plugin in this group has known
   // security problems.
   bool IsVulnerable() const;
diff --git a/webkit/plugins/npapi/plugin_group_unittest.cc b/webkit/plugins/npapi/plugin_group_unittest.cc
index 18ddd45..4e4eee5 100644
--- a/webkit/plugins/npapi/plugin_group_unittest.cc
+++ b/webkit/plugins/npapi/plugin_group_unittest.cc
@@ -357,6 +357,35 @@ TEST_F(PluginGroupTest, IsVulnerable) {
   EXPECT_TRUE(PluginGroup(*group).RequiresAuthorization());
 }
 
+TEST_F(PluginGroupTest, WhitelistedIsNotVulnerable) {
+  VersionRangeDefinition version_range[] = {
+      { "0", "6", "5.0", true }
+  };
+  PluginGroupDefinition plugin_def = {
+      "nativehtml5", "NativeHTML5", "NativeHTML5", version_range,
+      arraysize(version_range),
+      "http://bugzilla.mozilla.org/show_bug.cgi?id=649408" };
+  WebPluginInfo plugin(ASCIIToUTF16("NativeHTML5"),
+                       FilePath(FILE_PATH_LITERAL("/native.so")),
+                       ASCIIToUTF16("4.0"),
+                       ASCIIToUTF16("NativeHTML5"));
+  scoped_ptr<PluginGroup> group(PluginGroupTest::CreatePluginGroup(plugin_def));
+  group->AddPlugin(plugin);
+
+  EXPECT_TRUE(group->IsVulnerable());
+  EXPECT_TRUE(group->RequiresAuthorization());
+
+  std::set<string16> enabled_plugins;
+  enabled_plugins.insert(ASCIIToUTF16("NativeHTML5"));
+  PluginGroup::SetPolicyEnforcedPluginPatterns(std::set<string16>(),
+                                               std::set<string16>(),
+                                               enabled_plugins);
+  group->EnforceGroupPolicy();
+
+  EXPECT_FALSE(group->IsVulnerable());
+  EXPECT_FALSE(group->RequiresAuthorization());
+}
+
 TEST_F(PluginGroupTest, MultipleVersions) {
   scoped_ptr<PluginGroup> group(
       PluginGroupTest::CreatePluginGroup(kPluginDef3));