path: root/chrome/browser/download/download_extensions.cc

// Copyright (c) 2012 The Chromium Authors. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include <set>
#include <string>

#include "chrome/browser/download/download_extensions.h"

#include "base/macros.h"
#include "base/strings/string_util.h"
#include "base/strings/utf_string_conversions.h"
#include "build/build_config.h"
#include "net/base/mime_util.h"
#include "net/base/net_util.h"

namespace download_util {

namespace {

enum DownloadAutoOpenHint {
  ALLOW_AUTO_OPEN,

  // The file type should not be allowed to open automatically.
  //
  // Criteria for disallowing a file type from opening automatically:
  //
  // Includes file types that upon opening may either:
  //   * ... execute arbitrary or harmful code with user privileges.
  //   * ... change configuration of the system to cause harmful behavior
  //     immediately or at some time in the future.
  //
  // Doesn't include file types that upon opening:
  //   * ... sufficiently warn the user about the fact that:
  //     - This file was downloaded from the internet.
  //     - Opening it can make specified changes to the system.
  //     (Note that any such warnings need to be displayed prior to the harmful
  //     logic being executed).
  //   * ... does nothing particularly dangerous, despite the act of downloading
  //     itself being dangerous (E.g. .local and .manifest files).
  DISALLOW_AUTO_OPEN,
};

// Guidelines for adding a new dangerous file type:
//
// * Include a comment above the file type that:
//   - Describes the file type.
//   - Justifies why it is considered dangerous if this isn't obvious from the
//     description.
//   - Justifies why the file type is disallowed from auto opening, if
//     necessary.
// * Add the file extension to the kDangerousFileTypes array in
//   download_stats.cc.
//
// TODO(asanka): All file types listed below should have descriptions.
const struct FileType {
  const char* extension;  // Extension sans leading extension separator.
  DownloadDangerLevel danger_level;
  DownloadAutoOpenHint auto_open_hint;
} kDownloadFileTypes[] = {
    // Some files are dangerous on all platforms.

    // Flash files downloaded locally can sometimes access the local filesystem.
    {"swf", DANGEROUS, DISALLOW_AUTO_OPEN},
    {"spl", DANGEROUS, DISALLOW_AUTO_OPEN},

    // Chrome extensions should be obtained through the web store. Allowed to
    // open automatically because Chrome displays a prompt prior to
    // installation.
    {"crx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Included for parity with kSafeBrowsingFileTypes.
    {"bin", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"rtf", NOT_DANGEROUS, ALLOW_AUTO_OPEN},

    // Archive file types. Not inherently dangerous, but could contain dangerous
    // files. Included for parity with kSafeBrowsingFileTypes.
    {"001", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"7z", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"ace", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"arc", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"arj", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"b64", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"balz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"bhx", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"bz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"bz2", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"bzip2", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"cab", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"cpio", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"fat", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"gz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"gzip", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"hfs", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"hqx", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"iso", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"lha", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"lpaq1", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"lpaq5", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"lpaq8", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"lzh", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"lzma", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"mim", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"ntfs", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"paq8f", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"paq8jd", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"paq8l", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"paq8o", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"pea", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"quad", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r00", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r01", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r02", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r03", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r04", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r05", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r06", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r07", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r08", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r09", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r10", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r11", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r12", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r13", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r14", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r15", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r16", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r17", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r18", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r19", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r20", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r21", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r22", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r23", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r24", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r25", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r26", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r27", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r28", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"r29", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"rar", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"squashfs", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"swm", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"tar", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"taz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"tbz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"tbz2", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"tgz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"tpz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"txz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"tz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"udf", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"uu", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"uue", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"vhd", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"vhdx", NOT_DANGEROUS, ALLOW_AUTO_OPEN},  // Opens in IE, drops MOTW
    {"vmdk", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"wim", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"wrc", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"xar", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"xxe", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"xz", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"z", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"zip", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"zipx", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"zpaq", NOT_DANGEROUS, ALLOW_AUTO_OPEN},

    // Windows, all file categories. The list is in alphabetical order of
    // extensions. Exceptions are made for logical groupings of file types.
    //
    // Some file descriptions are based on
    // https://support.office.com/article/Blocked-attachments-in-Outlook-3811cddc-17c3-4279-a30c-060ba0207372
#if defined(OS_WIN)
    {"ad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Access related.
    {"ade", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Project extension
    {"adp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Project.
    {"mad", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Module Shortcut.
    {"maf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
    {"mag", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Diagram Shortcut.
    {"mam", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Macro Shortcut.
    {"maq", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Query Shortcut.
    {"mar", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Report Shortcut.
    {"mas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Stored Procedures.
    {"mat", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Table Shortcut.
    {"mav", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // View Shortcut.
    {"maw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Data Access Page.
    {"mda", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Access Add-in.
    {"mdb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Database.
    {"mde", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Database.
    {"mdt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Add-in Data.
    {"mdw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Workgroup Information.
    {"mdz", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},  // Wizard Template.

    // Executable Application.
    {"app", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft ClickOnce depolyment manifest. By default, opens with
    // dfshim.dll which should prompt the user before running untrusted code.
    {"application", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
    // ClickOnce application reference. Basically a .lnk for ClickOnce apps.
    {"appref-ms", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Active Server Pages source file.
    {"asp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Advanced Stream Redirector. Contains a playlist of media files.
    {"asx", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Visual Basic source file. Opens by default in an editor.
    {"bas", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Command script.
    {"bat", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    {"cfg", DANGEROUS, ALLOW_AUTO_OPEN},

    // Windows Compiled HTML Help files.
    {"chi", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
    {"chm", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Command script.
    {"cmd", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Windows legacy executable.
    {"com", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Control panel tool. Executable.
    {"cpl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Signed certificate file.
    {"crt", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Windows executables.
    {"dll", DANGEROUS, DISALLOW_AUTO_OPEN},
    {"drv", DANGEROUS, DISALLOW_AUTO_OPEN},

    // Opens in Outlook. Not common, but could be exploited (CVE-2015-6172)
    {"eml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Windows executable
    {"exe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Font file, uses Portable Executable or New Executable format. Not
    // supposed to contain executable code.
    {"fon", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Microsoft FoxPro Compiled Source.
    {"fxp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Windows Sidebar Gadget (Vista & Win 7). ZIP archive containing html + js.
    // Deprecated by Microsoft. Can run arbitrary code with user privileges.
    // (https://technet.microsoft.com/library/security/2719662)
    {"gadget", DANGEROUS, DISALLOW_AUTO_OPEN},

    // MSProgramGroup (?).
    {"grp", DANGEROUS, ALLOW_AUTO_OPEN},

    // Windows legacy help file format.
    {"hlp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // HTML Application. Executes as a fully trusted application.
    {"hta", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Hypertext Template File. See https://support.microsoft.com/kb/181689.
    {"htt", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Device installation information.
    {"inf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Generic configuration file.
    {"ini", DANGEROUS, ALLOW_AUTO_OPEN},

    // Microsoft IIS Internet Communication Settings.
    {"ins", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // InstallShield Compiled Script.
    {"inx", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // InstallShield Uninstaller Script.
    {"isu", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Microsoft IIS Internet Service Provider Settings.
    {"isp", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Windows Task Scheduler Job file. No handler is registered by default, so
    // this is probably normally not dangerous unless saved into the task
    // scheduler directory.
    {"job", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // JavaScript file. May open using Windows Script Host with user level
    // privileges.
    {"js", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // JScript encoded script file. Usually produced by running Microsoft Script
    // Encoder over a .js file.
    // See https://msdn.microsoft.com/library/d14c8zsc.aspx
    {"jse", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Shortcuts. May open anything.
    {"lnk", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // .local files affect DLL search path for .exe file with same base name.
    {"local", DANGEROUS, ALLOW_AUTO_OPEN},

    // While being a generic name, having a .manifest file with the same
    // basename as .exe file (foo.exe + foo.exe.manifest) changes the dll search
    // order for the .exe file. Downloading this kind of file to the users'
    // download directory is almost always the wrong thing to do.
    {"manifest", DANGEROUS, ALLOW_AUTO_OPEN},

    // Media Attachment Unit.
    {"mau", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Multipart HTML.
    {"mht", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
    {"mhtml", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    {"mmc", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
    {"mof", DANGEROUS, ALLOW_AUTO_OPEN},

    // Microsoft Management Console Snap-in. Contains executable code.
    {"msc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Opens in Outlook. Not common, but could be exploited (CVE-2015-6172)
    {"msg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Shell.
    {"msh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"msh1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"msh2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"mshxml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"msh1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"msh2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Windows Installer.
    {"msi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"msp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"mst", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // ActiveX Control.
    {"ocx", DANGEROUS, DISALLOW_AUTO_OPEN},

    // Microsoft Office Profile Settings File.
    {"ops", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Portable Application Installer File.
    {"paf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Extensions that will open in IE even when chrome is set as default
    // browser.
    {"partial", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"xrm-ms", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"rels", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"svg", NOT_DANGEROUS, ALLOW_AUTO_OPEN},
    {"xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"xsl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Microsoft Visual Test.
    {"pcd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Program Information File. Originally intended to configure execution
    // environment for legacy DOS files. They aren't meant to contain executable
    // code. But Windows may execute a PIF file that is sniffed as a PE file.
    {"pif", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Developer Studio Build Log.
    {"plg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Windows System File.
    {"prf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Program File.
    {"prg", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Exchange Address Book File. Microsoft Outlook Personal Folder
    // File.
    {"pst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Windows PowerShell.
    {"ps1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"ps1xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"ps2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"ps2xml", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"psc1", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"psc2", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Registry file. Opening may cause registry settings to change. Users still
    // need to click through a prompt. So we could consider relaxing the
    // DISALLOW_AUTO_OPEN restriction.
    {"reg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Registry Script Windows.
    {"rgs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Microsoft Windows Explorer Command.
    // See https://support.microsoft.com/kb/190355 for an example.
    {"scf", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Windows Screen Saver.
    {"scr", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Microsoft Windows Script Component. Microsoft FoxPro Screen.
    // A Script Component is a COM component created using script.
    // See https://msdn.microsoft.com/library/aa233148.aspx for an example.
    {"sct", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Windows Shortcut into a document.
    // See https://support.microsoft.com/kb/212344
    {"shb", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Shell Scrap Object File.
    {"shs", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // System executable. Windows tries hard to prevent you from opening these
    // types of files.
    {"sys", DANGEROUS, DISALLOW_AUTO_OPEN},

    // U3 Smart Application.
    {"u3p", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Internet Shortcut (new since IE9). Both .url and .website are .ini files
    // that describe a shortcut that points to a URL. They can point at
    // anything. Dropping a download of this type and opening it automatically
    // can in effect sidestep origin restrictions etc.
    {"url", DANGEROUS, DISALLOW_AUTO_OPEN},
    {"website", DANGEROUS, DISALLOW_AUTO_OPEN},

    // VBScript files. My open with Windows Script Host and execute with user
    // privileges.
    {"vb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"vbe", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"vbs", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    // Some sites claim .vbscript is a valid extension for vbs files.
    {"vbscript", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    {"vsd", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Visual Studio Binary-based Macro Project.
    {"vsmacros", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    {"vss", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
    {"vst", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Microsoft Visio Workspace.
    {"vsw", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},

    // Windows Script Host related.
    {"ws", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"wsc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"wsf", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"wsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // XAML Browser Application.
    {"xbap", DANGEROUS, DISALLOW_AUTO_OPEN},

    // Microsoft Exchange Public Folder Shortcut.
    {"xnk", ALLOW_ON_USER_GESTURE, ALLOW_AUTO_OPEN},
#endif  // OS_WIN

  // Java.
#if !defined(OS_CHROMEOS)
    {"class", DANGEROUS, DISALLOW_AUTO_OPEN},
    {"jar", DANGEROUS, DISALLOW_AUTO_OPEN},
    {"jnlp", DANGEROUS, DISALLOW_AUTO_OPEN},
#endif

#if !defined(OS_CHROMEOS) && !defined(OS_ANDROID)
    // Scripting languages. (Shells are handled below.)
    {"pl", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"py", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"pyc", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"pyw", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"rb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Extensible Firmware Interface executable.
    {"efi", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
#endif

  // Shell languages. (OS_ANDROID is OS_POSIX.) OS_WIN shells are handled above.
#if defined(OS_POSIX)
    {"bash", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"csh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"ksh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"sh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"shar", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"tcsh", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
#endif
#if defined(OS_MACOSX)
    // Automator Action.
    {"action", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    {"command", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // Automator Workflow.
    {"workflow", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
#endif

  // Package management formats. OS_WIN package formats are handled above.
#if defined(OS_MACOSX) || defined(OS_LINUX)
    {"pkg", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
#endif
#if defined(OS_LINUX)
    {"deb", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"pet", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"pup", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"rpm", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"slp", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},

    // "common" executable file extensions for linux. There's not really much
    // reason to block since they require execute bit to actually run. Included
    // for histograms and to match kSafeBrowsingFileTypes.
    {"out", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
    {"run", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
#endif
#if defined(OS_ANDROID)
    {"dex", ALLOW_ON_USER_GESTURE, DISALLOW_AUTO_OPEN},
#endif
};

// FileType for files with an empty extension.
const FileType kEmptyFileType = {nullptr, NOT_DANGEROUS, DISALLOW_AUTO_OPEN};

// Default FileType for non-empty extensions that aren't in the list above.
const FileType kUnknownFileType = {nullptr, NOT_DANGEROUS, ALLOW_AUTO_OPEN};

const FileType& GetFileType(const base::FilePath& path) {
  base::FilePath::StringType extension(path.FinalExtension());
  if (extension.empty())
    return kEmptyFileType;
  if (!base::IsStringASCII(extension))
    return kUnknownFileType;
#if defined(OS_WIN)
  std::string ascii_extension = base::UTF16ToASCII(extension);
#elif defined(OS_POSIX)
  std::string ascii_extension = extension;
#endif

  // Strip out leading dot if it's still there
  if (ascii_extension[0] == base::FilePath::kExtensionSeparator)
    ascii_extension.erase(0, 1);

  for (const auto& file_type : kDownloadFileTypes) {
    if (base::LowerCaseEqualsASCII(ascii_extension, file_type.extension))
      return file_type;
  }

  return kUnknownFileType;
}

}  // namespace

DownloadDangerLevel GetFileDangerLevel(const base::FilePath& path) {
  return GetFileType(path).danger_level;
}

bool IsAllowedToOpenAutomatically(const base::FilePath& path) {
  return GetFileType(path).auto_open_hint == ALLOW_AUTO_OPEN;
}

}  // namespace download_util