Issue metadata
Sign in to add a comment
|
Beta Regression: Chrome stripping .exe files from extensions
Reported by
donco...@gmail.com,
Nov 16 2016
|
||||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.44 Safari/537.36 Steps to reproduce the problem: 1. Install an extension with an .exe file from the web store. 2. Look in the installed %localappdata% directory for the extension. 3. Note that the .exe file has been removed. What is the expected behavior? It's expected that you would not meddle with my extension. What went wrong? This breaks a key scenario: The ability to upgrade a native host. We have an extension with over 3 million users that we have been upgrading this way for years and now it is broken. WebStore page: Did this work before? Yes 54.0.2804.99 Chrome version: 55.0.2883.44 Channel: beta OS Version: 10.0 Flash Version: Shockwave Flash 23.0 r0
,
Nov 16 2016
doncodes@ please provide the URL of the extension with .exe from Web store for further triage.
,
Nov 16 2016
,
Nov 17 2016
We already worked around this problem so I don't have a link. But I'm pretty sure ours wasn't the only extension using .exe files (judging by the online extension group), and I'd love to know why this breaking change was made to give us a sense of whether our workaround will continue to work in the future.
,
Nov 17 2016
,
Nov 17 2016
A friendly reminder that M55 Stable is launch is coming soon! Your bug is labelled as Stable ReleaseBlock, pls make sure to land the fix and get it merged into the release branch ASAP so it gets enough baking time in Beta (before Stable promotion). Thank you! Also due to Thanksgiving holidays in US, please make sure fix is ready and merged to M55 latest by 5:00 PM PT Friday, 11/18/16 (sooner the better).
,
Nov 17 2016
,
Nov 17 2016
The change was made to prevent exploits that bundle exes inside crx files: https://codereview.chromium.org/2321823002 As far as I know using an exe from inside a CRX file as a native host is not supported. How are you using the exes? Is the native host extracting the binary from the crx file?
,
Nov 17 2016
It's just a simple and logical way to package and deploy the native host executable and it facilitates auto-update. Exactly what exploit is the previous change mitigating? .exe files can be downloaded from the internet in a variety of ways (including a simple sequence of js code), how does it help to prevent them from being downloaded with an extension?
,
Nov 17 2016
The bug pointed by that CL explains the exploits ( bug 468355 , view restricted for now, since the fix is not in stable channel yet). Exes deployed inside CRX files have been used in multiple full exploit chains (bug 171839, bug 453937, bug 583431) as a way of bypassing SafeBrowsing. Unfortunately these bugs are also view restricted as the reporters wanted to remain anonymous.
,
Nov 17 2016
Okay, thanks for the bug details. As long as you are just blocking executable files by name I don't foresee this being a problem for our workaround. But this will obviously break other extensions that include .exe files...I wonder if the webstore team could pro-actively reach out to those extension devs.
,
Nov 17 2016
Yes, you should be able to rename the files and keep using them. If we were ever to change this too, I'll make sure we announce it more widely.
,
Nov 18 2016
Given this is intentional behavior change I am marking the bug as won'tfix. |
|||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||
Comment 1 by ligim...@chromium.org
, Nov 16 2016Labels: -Pri-2 ReleaseBlock-Stable M-55 Needs-Bisect Pri-1