1*6777b538SAndroid Build Coastguard Worker // Copyright 2014 The Chromium Authors
2*6777b538SAndroid Build Coastguard Worker // Use of this source code is governed by a BSD-style license that can be
3*6777b538SAndroid Build Coastguard Worker // found in the LICENSE file.
4*6777b538SAndroid Build Coastguard Worker
5*6777b538SAndroid Build Coastguard Worker #include "net/base/filename_util.h"
6*6777b538SAndroid Build Coastguard Worker
7*6777b538SAndroid Build Coastguard Worker #include <set>
8*6777b538SAndroid Build Coastguard Worker
9*6777b538SAndroid Build Coastguard Worker #include "base/files/file_path.h"
10*6777b538SAndroid Build Coastguard Worker #include "base/files/file_util.h"
11*6777b538SAndroid Build Coastguard Worker #include "base/path_service.h"
12*6777b538SAndroid Build Coastguard Worker #include "base/strings/escape.h"
13*6777b538SAndroid Build Coastguard Worker #include "base/strings/string_number_conversions.h"
14*6777b538SAndroid Build Coastguard Worker #include "base/strings/string_util.h"
15*6777b538SAndroid Build Coastguard Worker #include "base/strings/sys_string_conversions.h"
16*6777b538SAndroid Build Coastguard Worker #include "base/strings/utf_string_conversions.h"
17*6777b538SAndroid Build Coastguard Worker #include "base/threading/thread_restrictions.h"
18*6777b538SAndroid Build Coastguard Worker #include "build/build_config.h"
19*6777b538SAndroid Build Coastguard Worker #include "net/base/filename_util_internal.h"
20*6777b538SAndroid Build Coastguard Worker #include "net/base/net_string_util.h"
21*6777b538SAndroid Build Coastguard Worker #include "net/base/url_util.h"
22*6777b538SAndroid Build Coastguard Worker #include "net/http/http_content_disposition.h"
23*6777b538SAndroid Build Coastguard Worker #include "url/gurl.h"
24*6777b538SAndroid Build Coastguard Worker
25*6777b538SAndroid Build Coastguard Worker namespace net {
26*6777b538SAndroid Build Coastguard Worker
27*6777b538SAndroid Build Coastguard Worker // Prefix to prepend to get a file URL.
28*6777b538SAndroid Build Coastguard Worker static const char kFileURLPrefix[] = "file:///";
29*6777b538SAndroid Build Coastguard Worker
FilePathToFileURL(const base::FilePath & path)30*6777b538SAndroid Build Coastguard Worker GURL FilePathToFileURL(const base::FilePath& path) {
31*6777b538SAndroid Build Coastguard Worker // Produce a URL like "file:///C:/foo" for a regular file, or
32*6777b538SAndroid Build Coastguard Worker // "file://///server/path" for UNC. The URL canonicalizer will fix up the
33*6777b538SAndroid Build Coastguard Worker // latter case to be the canonical UNC form: "file://server/path"
34*6777b538SAndroid Build Coastguard Worker std::string url_string(kFileURLPrefix);
35*6777b538SAndroid Build Coastguard Worker
36*6777b538SAndroid Build Coastguard Worker // GURL() strips some whitespace and trailing control chars which are valid
37*6777b538SAndroid Build Coastguard Worker // in file paths. It also interprets chars such as `%;#?` and maybe `\`, so we
38*6777b538SAndroid Build Coastguard Worker // must percent encode these first. Reserve max possible length up front.
39*6777b538SAndroid Build Coastguard Worker std::string utf8_path = path.AsUTF8Unsafe();
40*6777b538SAndroid Build Coastguard Worker url_string.reserve(url_string.size() + (3 * utf8_path.size()));
41*6777b538SAndroid Build Coastguard Worker
42*6777b538SAndroid Build Coastguard Worker for (auto c : utf8_path) {
43*6777b538SAndroid Build Coastguard Worker if (c == '%' || c == ';' || c == '#' || c == '?' ||
44*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
45*6777b538SAndroid Build Coastguard Worker c == '\\' ||
46*6777b538SAndroid Build Coastguard Worker #endif
47*6777b538SAndroid Build Coastguard Worker c <= ' ') {
48*6777b538SAndroid Build Coastguard Worker url_string += '%';
49*6777b538SAndroid Build Coastguard Worker base::AppendHexEncodedByte(static_cast<uint8_t>(c), url_string);
50*6777b538SAndroid Build Coastguard Worker } else {
51*6777b538SAndroid Build Coastguard Worker url_string += c;
52*6777b538SAndroid Build Coastguard Worker }
53*6777b538SAndroid Build Coastguard Worker }
54*6777b538SAndroid Build Coastguard Worker
55*6777b538SAndroid Build Coastguard Worker return GURL(url_string);
56*6777b538SAndroid Build Coastguard Worker }
57*6777b538SAndroid Build Coastguard Worker
FileURLToFilePath(const GURL & url,base::FilePath * file_path)58*6777b538SAndroid Build Coastguard Worker bool FileURLToFilePath(const GURL& url, base::FilePath* file_path) {
59*6777b538SAndroid Build Coastguard Worker *file_path = base::FilePath();
60*6777b538SAndroid Build Coastguard Worker base::FilePath::StringType& file_path_str =
61*6777b538SAndroid Build Coastguard Worker const_cast<base::FilePath::StringType&>(file_path->value());
62*6777b538SAndroid Build Coastguard Worker file_path_str.clear();
63*6777b538SAndroid Build Coastguard Worker
64*6777b538SAndroid Build Coastguard Worker if (!url.is_valid())
65*6777b538SAndroid Build Coastguard Worker return false;
66*6777b538SAndroid Build Coastguard Worker
67*6777b538SAndroid Build Coastguard Worker // We may want to change this to a CHECK in the future.
68*6777b538SAndroid Build Coastguard Worker if (!url.SchemeIsFile())
69*6777b538SAndroid Build Coastguard Worker return false;
70*6777b538SAndroid Build Coastguard Worker
71*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(IS_WIN)
72*6777b538SAndroid Build Coastguard Worker std::string path;
73*6777b538SAndroid Build Coastguard Worker std::string host = url.host();
74*6777b538SAndroid Build Coastguard Worker if (host.empty()) {
75*6777b538SAndroid Build Coastguard Worker // URL contains no host, the path is the filename. In this case, the path
76*6777b538SAndroid Build Coastguard Worker // will probably be preceded with a slash, as in "/C:/foo.txt", so we
77*6777b538SAndroid Build Coastguard Worker // trim out that here.
78*6777b538SAndroid Build Coastguard Worker path = url.path();
79*6777b538SAndroid Build Coastguard Worker size_t first_non_slash = path.find_first_not_of("/\\");
80*6777b538SAndroid Build Coastguard Worker if (first_non_slash != std::string::npos && first_non_slash > 0)
81*6777b538SAndroid Build Coastguard Worker path.erase(0, first_non_slash);
82*6777b538SAndroid Build Coastguard Worker } else {
83*6777b538SAndroid Build Coastguard Worker // URL contains a host: this means it's UNC. We keep the preceding slash
84*6777b538SAndroid Build Coastguard Worker // on the path.
85*6777b538SAndroid Build Coastguard Worker path = "\\\\";
86*6777b538SAndroid Build Coastguard Worker path.append(host);
87*6777b538SAndroid Build Coastguard Worker path.append(url.path());
88*6777b538SAndroid Build Coastguard Worker }
89*6777b538SAndroid Build Coastguard Worker std::replace(path.begin(), path.end(), '/', '\\');
90*6777b538SAndroid Build Coastguard Worker #else // BUILDFLAG(IS_WIN)
91*6777b538SAndroid Build Coastguard Worker // On POSIX, there's no obvious interpretation of file:// URLs with a host.
92*6777b538SAndroid Build Coastguard Worker // Usually, remote mounts are still mounted onto the local filesystem.
93*6777b538SAndroid Build Coastguard Worker // Therefore, we discard all URLs that are not obviously local to prevent
94*6777b538SAndroid Build Coastguard Worker // spoofing attacks using file:// URLs. See crbug.com/881675.
95*6777b538SAndroid Build Coastguard Worker if (!url.host().empty() && !net::IsLocalhost(url)) {
96*6777b538SAndroid Build Coastguard Worker return false;
97*6777b538SAndroid Build Coastguard Worker }
98*6777b538SAndroid Build Coastguard Worker std::string path = url.path();
99*6777b538SAndroid Build Coastguard Worker #endif // !BUILDFLAG(IS_WIN)
100*6777b538SAndroid Build Coastguard Worker
101*6777b538SAndroid Build Coastguard Worker if (path.empty())
102*6777b538SAndroid Build Coastguard Worker return false;
103*6777b538SAndroid Build Coastguard Worker
104*6777b538SAndroid Build Coastguard Worker // "%2F" ('/') results in failure, because it represents a literal '/'
105*6777b538SAndroid Build Coastguard Worker // character in a path segment (not a path separator). If this were decoded,
106*6777b538SAndroid Build Coastguard Worker // it would be interpreted as a path separator on both POSIX and Windows (note
107*6777b538SAndroid Build Coastguard Worker // that Firefox *does* decode this, but it was decided on
108*6777b538SAndroid Build Coastguard Worker // https://crbug.com/585422 that this represents a potential security risk).
109*6777b538SAndroid Build Coastguard Worker // It isn't correct to keep it as "%2F", so this just fails. This is fine,
110*6777b538SAndroid Build Coastguard Worker // because '/' is not a valid filename character on either POSIX or Windows.
111*6777b538SAndroid Build Coastguard Worker //
112*6777b538SAndroid Build Coastguard Worker // A valid URL may include "%00" (NULL) in its path (see
113*6777b538SAndroid Build Coastguard Worker // https://crbug.com/1400251), which is considered an illegal filename and
114*6777b538SAndroid Build Coastguard Worker // results in failure.
115*6777b538SAndroid Build Coastguard Worker std::set<unsigned char> illegal_encoded_bytes{'/', '\0'};
116*6777b538SAndroid Build Coastguard Worker
117*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(IS_WIN)
118*6777b538SAndroid Build Coastguard Worker // "%5C" ('\\') on Windows results in failure, for the same reason as '/'
119*6777b538SAndroid Build Coastguard Worker // above. On POSIX, "%5C" simply decodes as '\\', a valid filename character.
120*6777b538SAndroid Build Coastguard Worker illegal_encoded_bytes.insert('\\');
121*6777b538SAndroid Build Coastguard Worker #endif
122*6777b538SAndroid Build Coastguard Worker
123*6777b538SAndroid Build Coastguard Worker if (base::ContainsEncodedBytes(path, illegal_encoded_bytes))
124*6777b538SAndroid Build Coastguard Worker return false;
125*6777b538SAndroid Build Coastguard Worker
126*6777b538SAndroid Build Coastguard Worker // Unescape all percent-encoded sequences, including blocked-for-display
127*6777b538SAndroid Build Coastguard Worker // characters, control characters and invalid UTF-8 byte sequences.
128*6777b538SAndroid Build Coastguard Worker // Percent-encoded bytes are not meaningful in a file system.
129*6777b538SAndroid Build Coastguard Worker path = base::UnescapeBinaryURLComponent(path);
130*6777b538SAndroid Build Coastguard Worker
131*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(IS_WIN)
132*6777b538SAndroid Build Coastguard Worker if (base::IsStringUTF8(path)) {
133*6777b538SAndroid Build Coastguard Worker file_path_str.assign(base::UTF8ToWide(path));
134*6777b538SAndroid Build Coastguard Worker // We used to try too hard and see if |path| made up entirely of
135*6777b538SAndroid Build Coastguard Worker // the 1st 256 characters in the Unicode was a zero-extended UTF-16.
136*6777b538SAndroid Build Coastguard Worker // If so, we converted it to 'Latin-1' and checked if the result was UTF-8.
137*6777b538SAndroid Build Coastguard Worker // If the check passed, we converted the result to UTF-8.
138*6777b538SAndroid Build Coastguard Worker // Otherwise, we treated the result as the native OS encoding.
139*6777b538SAndroid Build Coastguard Worker // However, that led to http://crbug.com/4619 and http://crbug.com/14153
140*6777b538SAndroid Build Coastguard Worker } else {
141*6777b538SAndroid Build Coastguard Worker // Not UTF-8, assume encoding is native codepage and we're done. We know we
142*6777b538SAndroid Build Coastguard Worker // are giving the conversion function a nonempty string, and it may fail if
143*6777b538SAndroid Build Coastguard Worker // the given string is not in the current encoding and give us an empty
144*6777b538SAndroid Build Coastguard Worker // string back. We detect this and report failure.
145*6777b538SAndroid Build Coastguard Worker file_path_str = base::SysNativeMBToWide(path);
146*6777b538SAndroid Build Coastguard Worker }
147*6777b538SAndroid Build Coastguard Worker #else // BUILDFLAG(IS_WIN)
148*6777b538SAndroid Build Coastguard Worker // Collapse multiple path slashes into a single path slash.
149*6777b538SAndroid Build Coastguard Worker std::string new_path;
150*6777b538SAndroid Build Coastguard Worker do {
151*6777b538SAndroid Build Coastguard Worker new_path = path;
152*6777b538SAndroid Build Coastguard Worker base::ReplaceSubstringsAfterOffset(&new_path, 0, "//", "/");
153*6777b538SAndroid Build Coastguard Worker path.swap(new_path);
154*6777b538SAndroid Build Coastguard Worker } while (new_path != path);
155*6777b538SAndroid Build Coastguard Worker
156*6777b538SAndroid Build Coastguard Worker file_path_str.assign(path);
157*6777b538SAndroid Build Coastguard Worker #endif // !BUILDFLAG(IS_WIN)
158*6777b538SAndroid Build Coastguard Worker
159*6777b538SAndroid Build Coastguard Worker return !file_path_str.empty();
160*6777b538SAndroid Build Coastguard Worker }
161*6777b538SAndroid Build Coastguard Worker
GenerateSafeFileName(const std::string & mime_type,bool ignore_extension,base::FilePath * file_path)162*6777b538SAndroid Build Coastguard Worker void GenerateSafeFileName(const std::string& mime_type,
163*6777b538SAndroid Build Coastguard Worker bool ignore_extension,
164*6777b538SAndroid Build Coastguard Worker base::FilePath* file_path) {
165*6777b538SAndroid Build Coastguard Worker // Make sure we get the right file extension
166*6777b538SAndroid Build Coastguard Worker EnsureSafeExtension(mime_type, ignore_extension, file_path);
167*6777b538SAndroid Build Coastguard Worker
168*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(IS_WIN)
169*6777b538SAndroid Build Coastguard Worker // Prepend "_" to the file name if it's a reserved name
170*6777b538SAndroid Build Coastguard Worker base::FilePath::StringType leaf_name = file_path->BaseName().value();
171*6777b538SAndroid Build Coastguard Worker DCHECK(!leaf_name.empty());
172*6777b538SAndroid Build Coastguard Worker if (IsReservedNameOnWindows(leaf_name)) {
173*6777b538SAndroid Build Coastguard Worker leaf_name = base::FilePath::StringType(FILE_PATH_LITERAL("_")) + leaf_name;
174*6777b538SAndroid Build Coastguard Worker *file_path = file_path->DirName();
175*6777b538SAndroid Build Coastguard Worker if (file_path->value() == base::FilePath::kCurrentDirectory) {
176*6777b538SAndroid Build Coastguard Worker *file_path = base::FilePath(leaf_name);
177*6777b538SAndroid Build Coastguard Worker } else {
178*6777b538SAndroid Build Coastguard Worker *file_path = file_path->Append(leaf_name);
179*6777b538SAndroid Build Coastguard Worker }
180*6777b538SAndroid Build Coastguard Worker }
181*6777b538SAndroid Build Coastguard Worker #endif
182*6777b538SAndroid Build Coastguard Worker }
183*6777b538SAndroid Build Coastguard Worker
IsReservedNameOnWindows(const base::FilePath::StringType & filename)184*6777b538SAndroid Build Coastguard Worker bool IsReservedNameOnWindows(const base::FilePath::StringType& filename) {
185*6777b538SAndroid Build Coastguard Worker // This list is taken from the MSDN article "Naming a file"
186*6777b538SAndroid Build Coastguard Worker // http://msdn2.microsoft.com/en-us/library/aa365247(VS.85).aspx
187*6777b538SAndroid Build Coastguard Worker // I also added clock$ because GetSaveFileName seems to consider it as a
188*6777b538SAndroid Build Coastguard Worker // reserved name too.
189*6777b538SAndroid Build Coastguard Worker static const char* const known_devices[] = {
190*6777b538SAndroid Build Coastguard Worker "con", "prn", "aux", "nul", "com1", "com2", "com3", "com4",
191*6777b538SAndroid Build Coastguard Worker "com5", "com6", "com7", "com8", "com9", "lpt1", "lpt2", "lpt3",
192*6777b538SAndroid Build Coastguard Worker "lpt4", "lpt5", "lpt6", "lpt7", "lpt8", "lpt9", "clock$"};
193*6777b538SAndroid Build Coastguard Worker #if BUILDFLAG(IS_WIN)
194*6777b538SAndroid Build Coastguard Worker std::string filename_lower = base::ToLowerASCII(base::WideToUTF8(filename));
195*6777b538SAndroid Build Coastguard Worker #elif BUILDFLAG(IS_POSIX) || BUILDFLAG(IS_FUCHSIA)
196*6777b538SAndroid Build Coastguard Worker std::string filename_lower = base::ToLowerASCII(filename);
197*6777b538SAndroid Build Coastguard Worker #endif
198*6777b538SAndroid Build Coastguard Worker
199*6777b538SAndroid Build Coastguard Worker for (const char* const device : known_devices) {
200*6777b538SAndroid Build Coastguard Worker // Check for an exact match, or a "DEVICE." prefix.
201*6777b538SAndroid Build Coastguard Worker size_t len = strlen(device);
202*6777b538SAndroid Build Coastguard Worker if (filename_lower.starts_with(device) &&
203*6777b538SAndroid Build Coastguard Worker (filename_lower.size() == len || filename_lower[len] == '.')) {
204*6777b538SAndroid Build Coastguard Worker return true;
205*6777b538SAndroid Build Coastguard Worker }
206*6777b538SAndroid Build Coastguard Worker }
207*6777b538SAndroid Build Coastguard Worker
208*6777b538SAndroid Build Coastguard Worker static const char* const magic_names[] = {
209*6777b538SAndroid Build Coastguard Worker // These file names are used by the "Customize folder" feature of the
210*6777b538SAndroid Build Coastguard Worker // shell.
211*6777b538SAndroid Build Coastguard Worker "desktop.ini",
212*6777b538SAndroid Build Coastguard Worker "thumbs.db",
213*6777b538SAndroid Build Coastguard Worker };
214*6777b538SAndroid Build Coastguard Worker
215*6777b538SAndroid Build Coastguard Worker for (const char* const magic_name : magic_names) {
216*6777b538SAndroid Build Coastguard Worker if (filename_lower == magic_name)
217*6777b538SAndroid Build Coastguard Worker return true;
218*6777b538SAndroid Build Coastguard Worker }
219*6777b538SAndroid Build Coastguard Worker
220*6777b538SAndroid Build Coastguard Worker return false;
221*6777b538SAndroid Build Coastguard Worker }
222*6777b538SAndroid Build Coastguard Worker
223*6777b538SAndroid Build Coastguard Worker } // namespace net
224