From c08931b03b69d69ebe8698a13e8217611c460558 Mon Sep 17 00:00:00 2001 From: "erikkay@chromium.org" Date: Fri, 8 Oct 2010 22:30:47 +0000 Subject: fix to allow internal installation (sync, default) to bypass origin checks also move gallery origin check ahead of hosted origin check for correctness BUG=45542 TEST=sync an app Review URL: http://codereview.chromium.org/3592018 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@62033 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/browser/extensions/crx_installer.cc | 37 ++++++++++++++++-------------- 1 file changed, 20 insertions(+), 17 deletions(-) (limited to 'chrome/browser/extensions/crx_installer.cc') diff --git a/chrome/browser/extensions/crx_installer.cc b/chrome/browser/extensions/crx_installer.cc index 40d8cd2..28f873b 100644 --- a/chrome/browser/extensions/crx_installer.cc +++ b/chrome/browser/extensions/crx_installer.cc @@ -187,10 +187,26 @@ bool CrxInstaller::AllowInstall(Extension* extension, std::string* error) { return false; } - // For self-hosted apps, verify that the entire extent is on the same - // host (or a subdomain of the host) the download happened from. There's - // no way for us to verify that the app controls any other hosts. - if (!is_gallery_install_) { + // If the client_ is NULL, then the app is either being installed via + // an internal mechanism like sync, external_extensions, or default apps. + // In that case, we don't want to enforce things like the install origin. + if (!is_gallery_install_ && client_) { + // For apps with a gallery update URL, require that they be installed + // from the gallery. + // TODO(erikkay) Apply this rule for paid extensions and themes as well. + if ((extension->update_url() == + GURL(extension_urls::kGalleryUpdateHttpsUrl)) || + (extension->update_url() == + GURL(extension_urls::kGalleryUpdateHttpUrl))) { + *error = l10n_util::GetStringFUTF8( + IDS_EXTENSION_DISALLOW_NON_DOWNLOADED_GALLERY_INSTALLS, + l10n_util::GetStringUTF16(IDS_EXTENSION_WEB_STORE_TITLE)); + return false; + } + + // For self-hosted apps, verify that the entire extent is on the same + // host (or a subdomain of the host) the download happened from. There's + // no way for us to verify that the app controls any other hosts. URLPattern pattern(UserScript::kValidUserScriptSchemes); pattern.set_host(original_url_.host()); pattern.set_match_subdomains(true); @@ -204,19 +220,6 @@ bool CrxInstaller::AllowInstall(Extension* extension, std::string* error) { return false; } } - - // For apps with a gallery update URL, require that they be installed - // from the gallery. - // TODO(erikkay) Apply this rule for paid extensions and themes as well. - if ((extension->update_url() == - GURL(extension_urls::kGalleryUpdateHttpsUrl)) || - (extension->update_url() == - GURL(extension_urls::kGalleryUpdateHttpUrl))) { - *error = l10n_util::GetStringFUTF8( - IDS_EXTENSION_DISALLOW_NON_DOWNLOADED_GALLERY_INSTALLS, - l10n_util::GetStringUTF16(IDS_EXTENSION_WEB_STORE_TITLE)); - return false; - } } } -- cgit v1.1