1 // Copyright (c) 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "components/policy/core/common/preg_parser_win.h"
6
7 #include <windows.h>
8
9 #include <algorithm>
10 #include <iterator>
11 #include <vector>
12
13 #include "base/basictypes.h"
14 #include "base/files/file_path.h"
15 #include "base/files/memory_mapped_file.h"
16 #include "base/logging.h"
17 #include "base/stl_util.h"
18 #include "base/strings/string16.h"
19 #include "base/strings/string_util.h"
20 #include "base/strings/utf_string_conversions.h"
21 #include "base/sys_byteorder.h"
22 #include "base/values.h"
23 #include "components/policy/core/common/policy_load_status.h"
24 #include "components/policy/core/common/registry_dict_win.h"
25
26 namespace policy {
27 namespace preg_parser {
28
29 const char kPRegFileHeader[8] =
30 { 'P', 'R', 'e', 'g', '\x01', '\x00', '\x00', '\x00' };
31
32 // Maximum PReg file size we're willing to accept.
33 const int64 kMaxPRegFileSize = 1024 * 1024 * 16;
34
35 // Constants for PReg file delimiters.
36 const base::char16 kDelimBracketOpen = L'[';
37 const base::char16 kDelimBracketClose = L']';
38 const base::char16 kDelimSemicolon = L';';
39
40 // Registry path separator.
41 const base::char16 kRegistryPathSeparator[] = L"\\";
42
43 // Magic strings for the PReg value field to trigger special actions.
44 const char kActionTriggerPrefix[] = "**";
45 const char kActionTriggerDeleteValues[] = "deletevalues";
46 const char kActionTriggerDel[] = "del.";
47 const char kActionTriggerDelVals[] = "delvals";
48 const char kActionTriggerDeleteKeys[] = "deletekeys";
49 const char kActionTriggerSecureKey[] = "securekey";
50 const char kActionTriggerSoft[] = "soft";
51
52 // Returns the character at |cursor| and increments it, unless the end is here
53 // in which case -1 is returned.
NextChar(const uint8 ** cursor,const uint8 * end)54 int NextChar(const uint8** cursor, const uint8* end) {
55 // Only read the character if a full base::char16 is available.
56 if (*cursor + sizeof(base::char16) > end)
57 return -1;
58
59 int result = **cursor | (*(*cursor + 1) << 8);
60 *cursor += sizeof(base::char16);
61 return result;
62 }
63
64 // Reads a fixed-size field from a PReg file.
ReadFieldBinary(const uint8 ** cursor,const uint8 * end,uint32 size,uint8 * data)65 bool ReadFieldBinary(const uint8** cursor,
66 const uint8* end,
67 uint32 size,
68 uint8* data) {
69 if (size == 0)
70 return true;
71
72 const uint8* field_end = *cursor + size;
73 if (field_end <= *cursor || field_end > end)
74 return false;
75 std::copy(*cursor, field_end, data);
76 *cursor = field_end;
77 return true;
78 }
79
ReadField32(const uint8 ** cursor,const uint8 * end,uint32 * data)80 bool ReadField32(const uint8** cursor, const uint8* end, uint32* data) {
81 uint32 value = 0;
82 if (!ReadFieldBinary(cursor, end, sizeof(uint32),
83 reinterpret_cast<uint8*>(&value))) {
84 return false;
85 }
86 *data = base::ByteSwapToLE32(value);
87 return true;
88 }
89
90 // Reads a string field from a file.
ReadFieldString(const uint8 ** cursor,const uint8 * end,base::string16 * str)91 bool ReadFieldString(const uint8** cursor,
92 const uint8* end,
93 base::string16* str) {
94 int current = -1;
95 while ((current = NextChar(cursor, end)) > 0x0000)
96 *str += current;
97
98 return current == L'\0';
99 }
100
DecodePRegStringValue(const std::vector<uint8> & data)101 std::string DecodePRegStringValue(const std::vector<uint8>& data) {
102 size_t len = data.size() / sizeof(base::char16);
103 if (len <= 0)
104 return std::string();
105
106 const base::char16* chars =
107 reinterpret_cast<const base::char16*>(vector_as_array(&data));
108 base::string16 result;
109 std::transform(chars, chars + len - 1, std::back_inserter(result),
110 std::ptr_fun(base::ByteSwapToLE16));
111 return base::UTF16ToUTF8(result);
112 }
113
114 // Decodes a value from a PReg file given as a uint8 vector.
DecodePRegValue(uint32 type,const std::vector<uint8> & data,scoped_ptr<base::Value> * value)115 bool DecodePRegValue(uint32 type,
116 const std::vector<uint8>& data,
117 scoped_ptr<base::Value>* value) {
118 switch (type) {
119 case REG_SZ:
120 case REG_EXPAND_SZ:
121 value->reset(new base::StringValue(DecodePRegStringValue(data)));
122 return true;
123 case REG_DWORD_LITTLE_ENDIAN:
124 case REG_DWORD_BIG_ENDIAN:
125 if (data.size() == sizeof(uint32)) {
126 uint32 val = *reinterpret_cast<const uint32*>(vector_as_array(&data));
127 if (type == REG_DWORD_BIG_ENDIAN)
128 val = base::NetToHost32(val);
129 else
130 val = base::ByteSwapToLE32(val);
131 value->reset(new base::FundamentalValue(static_cast<int>(val)));
132 return true;
133 } else {
134 LOG(ERROR) << "Bad data size " << data.size();
135 }
136 break;
137 case REG_NONE:
138 case REG_LINK:
139 case REG_MULTI_SZ:
140 case REG_RESOURCE_LIST:
141 case REG_FULL_RESOURCE_DESCRIPTOR:
142 case REG_RESOURCE_REQUIREMENTS_LIST:
143 case REG_QWORD_LITTLE_ENDIAN:
144 default:
145 LOG(ERROR) << "Unsupported registry data type " << type;
146 }
147
148 return false;
149 }
150
151 // Adds the record data passed via parameters to |dict| in case the data is
152 // relevant policy for Chromium.
HandleRecord(const base::string16 & key_name,const base::string16 & value,uint32 type,const std::vector<uint8> & data,RegistryDict * dict)153 void HandleRecord(const base::string16& key_name,
154 const base::string16& value,
155 uint32 type,
156 const std::vector<uint8>& data,
157 RegistryDict* dict) {
158 // Locate/create the dictionary to place the value in.
159 std::vector<base::string16> path;
160
161 Tokenize(key_name, kRegistryPathSeparator, &path);
162 for (std::vector<base::string16>::const_iterator entry(path.begin());
163 entry != path.end(); ++entry) {
164 if (entry->empty())
165 continue;
166 const std::string name = base::UTF16ToUTF8(*entry);
167 RegistryDict* subdict = dict->GetKey(name);
168 if (!subdict) {
169 subdict = new RegistryDict();
170 dict->SetKey(name, make_scoped_ptr(subdict));
171 }
172 dict = subdict;
173 }
174
175 if (value.empty())
176 return;
177
178 std::string value_name(base::UTF16ToUTF8(value));
179 if (!StartsWithASCII(value_name, kActionTriggerPrefix, true)) {
180 scoped_ptr<base::Value> value;
181 if (DecodePRegValue(type, data, &value))
182 dict->SetValue(value_name, value.Pass());
183 return;
184 }
185
186 std::string action_trigger(base::StringToLowerASCII(value_name.substr(
187 arraysize(kActionTriggerPrefix) - 1)));
188 if (action_trigger == kActionTriggerDeleteValues) {
189 std::vector<std::string> values;
190 Tokenize(DecodePRegStringValue(data), ";", &values);
191 for (std::vector<std::string>::const_iterator value(values.begin());
192 value != values.end(); ++value) {
193 dict->RemoveValue(*value);
194 }
195 } else if (StartsWithASCII(action_trigger, kActionTriggerDeleteKeys, true)) {
196 std::vector<std::string> keys;
197 Tokenize(DecodePRegStringValue(data), ";", &keys);
198 for (std::vector<std::string>::const_iterator key(keys.begin());
199 key != keys.end(); ++key) {
200 dict->RemoveKey(*key);
201 }
202 } else if (StartsWithASCII(action_trigger, kActionTriggerDel, true)) {
203 dict->RemoveValue(
204 value_name.substr(arraysize(kActionTriggerPrefix) - 1 +
205 arraysize(kActionTriggerDel) - 1));
206 } else if (StartsWithASCII(action_trigger, kActionTriggerDelVals, true)) {
207 // Delete all values.
208 dict->ClearValues();
209 } else if (StartsWithASCII(action_trigger, kActionTriggerSecureKey, true) ||
210 StartsWithASCII(action_trigger, kActionTriggerSoft, true)) {
211 // Doesn't affect values.
212 } else {
213 LOG(ERROR) << "Bad action trigger " << value_name;
214 }
215 }
216
ReadFile(const base::FilePath & file_path,const base::string16 & root,RegistryDict * dict,PolicyLoadStatusSample * status)217 bool ReadFile(const base::FilePath& file_path,
218 const base::string16& root,
219 RegistryDict* dict,
220 PolicyLoadStatusSample* status) {
221 base::MemoryMappedFile mapped_file;
222 if (!mapped_file.Initialize(file_path) || !mapped_file.IsValid()) {
223 PLOG(ERROR) << "Failed to map " << file_path.value();
224 status->Add(POLICY_LOAD_STATUS_READ_ERROR);
225 return false;
226 }
227
228 if (mapped_file.length() > kMaxPRegFileSize) {
229 LOG(ERROR) << "PReg file " << file_path.value() << " too large: "
230 << mapped_file.length();
231 status->Add(POLICY_LOAD_STATUS_TOO_BIG);
232 return false;
233 }
234
235 // Check the header.
236 const int kHeaderSize = arraysize(kPRegFileHeader);
237 if (mapped_file.length() < kHeaderSize ||
238 memcmp(kPRegFileHeader, mapped_file.data(), kHeaderSize) != 0) {
239 LOG(ERROR) << "Bad policy file " << file_path.value();
240 status->Add(POLICY_LOAD_STATUS_PARSE_ERROR);
241 return false;
242 }
243
244 // Parse file contents, which is UCS-2 and little-endian. The latter I
245 // couldn't find documentation on, but the example I saw were all
246 // little-endian. It'd be interesting to check on big-endian hardware.
247 const uint8* cursor = mapped_file.data() + kHeaderSize;
248 const uint8* end = mapped_file.data() + mapped_file.length();
249 while (true) {
250 if (cursor == end)
251 return true;
252
253 if (NextChar(&cursor, end) != kDelimBracketOpen)
254 break;
255
256 // Read the record fields.
257 base::string16 key_name;
258 base::string16 value;
259 uint32 type = 0;
260 uint32 size = 0;
261 std::vector<uint8> data;
262
263 if (!ReadFieldString(&cursor, end, &key_name))
264 break;
265
266 int current = NextChar(&cursor, end);
267 if (current == kDelimSemicolon) {
268 if (!ReadFieldString(&cursor, end, &value))
269 break;
270 current = NextChar(&cursor, end);
271 }
272
273 if (current == kDelimSemicolon) {
274 if (!ReadField32(&cursor, end, &type))
275 break;
276 current = NextChar(&cursor, end);
277 }
278
279 if (current == kDelimSemicolon) {
280 if (!ReadField32(&cursor, end, &size))
281 break;
282 current = NextChar(&cursor, end);
283 }
284
285 if (current == kDelimSemicolon) {
286 if (size > kMaxPRegFileSize)
287 break;
288 data.resize(size);
289 if (!ReadFieldBinary(&cursor, end, size, vector_as_array(&data)))
290 break;
291 current = NextChar(&cursor, end);
292 }
293
294 if (current != kDelimBracketClose)
295 break;
296
297 // Process the record if it is within the |root| subtree.
298 if (StartsWith(key_name, root, false))
299 HandleRecord(key_name.substr(root.size()), value, type, data, dict);
300 }
301
302 LOG(ERROR) << "Error parsing " << file_path.value() << " at offset "
303 << reinterpret_cast<const uint8*>(cursor - 1) - mapped_file.data();
304 status->Add(POLICY_LOAD_STATUS_PARSE_ERROR);
305 return false;
306 }
307
308 } // namespace preg_parser
309 } // namespace policy
310