// Copyright (c) 2011 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #include #include #include "content/browser/safe_util_win.h" #include "base/file_path.h" #include "base/logging.h" #include "base/path_service.h" #include "base/string_util.h" #include "base/win/scoped_comptr.h" #include "ui/base/win/shell.h" namespace { // This GUID is associated with any 'don't ask me again' settings that the // user can select for different file types. // {2676A9A2-D919-4fee-9187-152100393AB2} static const GUID kClientID = { 0x2676a9a2, 0xd919, 0x4fee, { 0x91, 0x87, 0x15, 0x21, 0x0, 0x39, 0x3a, 0xb2 } }; // Directly writes the ZoneIdentifier stream, without using the // IAttachmentExecute service. bool SetInternetZoneIdentifierDirectly(const FilePath& full_path) { const DWORD kShare = FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE; std::wstring path = full_path.value() + L":Zone.Identifier"; HANDLE file = CreateFile(path.c_str(), GENERIC_WRITE, kShare, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); if (INVALID_HANDLE_VALUE == file) return false; static const char kIdentifier[] = "[ZoneTransfer]\r\nZoneId=3\r\n"; // Don't include trailing null in data written. static const DWORD kIdentifierSize = arraysize(kIdentifier) - 1; DWORD written = 0; BOOL result = WriteFile(file, kIdentifier, kIdentifierSize, &written, NULL); BOOL flush_result = FlushFileBuffers(file); CloseHandle(file); if (!result || !flush_result || written != kIdentifierSize) { NOTREACHED(); return false; } return true; } } namespace win_util { // This function implementation is based on the attachment execution // services functionally deployed with IE6 or Service pack 2. This // functionality is exposed in the IAttachmentExecute COM interface. // more information at: // http://msdn2.microsoft.com/en-us/library/ms647048.aspx bool SaferOpenItemViaShell(HWND hwnd, const std::wstring& window_title, const FilePath& full_path, const std::wstring& source_url) { base::win::ScopedComPtr attachment_services; HRESULT hr = attachment_services.CreateInstance(CLSID_AttachmentServices); if (FAILED(hr)) { // We don't have Attachment Execution Services, it must be a pre-XP.SP2 // Windows installation, or the thread does not have COM initialized. if (hr == CO_E_NOTINITIALIZED) { NOTREACHED(); return false; } return ui::win::OpenItemViaShell(full_path); } attachment_services->SetClientGuid(kClientID); if (!window_title.empty()) attachment_services->SetClientTitle(window_title.c_str()); // To help windows decide if the downloaded file is dangerous we can provide // what the documentation calls evidence. Which we provide now: // // Set the file itself as evidence. hr = attachment_services->SetLocalPath(full_path.value().c_str()); if (FAILED(hr)) return false; // Set the origin URL as evidence. hr = attachment_services->SetSource(source_url.c_str()); if (FAILED(hr)) return false; // Now check the windows policy. if (attachment_services->CheckPolicy() != S_OK) { // It is possible that the above call returns an undocumented result // equal to 0x800c000e which seems to indicate that the URL failed the // the security check. If you proceed with the Prompt() call the // Shell might show a dialog that says: // "windows found that this file is potentially harmful. To help protect // your computer, Windows has blocked access to this file." // Upon dismissal of the dialog windows will delete the file (!!). // So, we can 'return' in that case but maybe is best to let it happen to // fail on the safe side. ATTACHMENT_ACTION action; // We cannot control what the prompt says or does directly but it // is a pretty decent dialog; for example, if an executable is signed it can // decode and show the publisher and the certificate. hr = attachment_services->Prompt(hwnd, ATTACHMENT_PROMPT_EXEC, &action); if (FAILED(hr) || (ATTACHMENT_ACTION_CANCEL == action)) { // The user has declined opening the item. return false; } } return ui::win::OpenItemViaShellNoZoneCheck(full_path); } bool SetInternetZoneIdentifier(const FilePath& full_path, const std::wstring& source_url) { base::win::ScopedComPtr attachment_services; HRESULT hr = attachment_services.CreateInstance(CLSID_AttachmentServices); if (FAILED(hr)) { // We don't have Attachment Execution Services, it must be a pre-XP.SP2 // Windows installation, or the thread does not have COM initialized. if (hr == CO_E_NOTINITIALIZED) { NOTREACHED(); return false; } // Write the ZoneIdentifier file directly. return SetInternetZoneIdentifierDirectly(full_path); } hr = attachment_services->SetClientGuid(kClientID); if (FAILED(hr)) return false; hr = attachment_services->SetLocalPath(full_path.value().c_str()); if (FAILED(hr)) return false; // Source is necessary for files ending in ".tmp" to avoid error 0x800c000e. hr = attachment_services->SetSource(source_url.c_str()); if (FAILED(hr)) return false; hr = attachment_services->Save(); if (FAILED(hr)) return false; return true; } } // namespace win_util