Don't warn about modules in the same directory as Chrome

Bug: 876096
Change-Id: I85a7d7d5529270a829d9849a8bb638d9d02b7813
Reviewed-on: https://chromium-review.googlesource.com/1182341
Commit-Queue: Patrick Monette <pmonette@chromium.org>
Reviewed-by: Chris Hamilton <chrisha@chromium.org>
Cr-Commit-Position: refs/heads/master@{#584586}

chrome/browser/conflicts/incompatible_applications_updater_win.cc

@@ -311,18 +311,6 @@ void IncompatibleApplicationsUpdater::OnNewModuleFound(
     return;
   }
 
-// For developer builds only, whitelist modules in the same directory as the
-// executable.
-#if !defined(OFFICIAL_BUILD)
-  base::FilePath exe_path;
-  if (base::PathService::Get(base::DIR_EXE, &exe_path) &&
-      exe_path.DirName().IsParent(module_key.module_path)) {
-    module_warning_decisions_[module_key.module_id] =
-        ModuleWarningDecision::kAllowedSameDirectory;
-    return;
-  }
-#endif
-
   // Second, check if the module is seemingly signed by Microsoft. Again, no
   // attempt is made to check the validity of the certificate.
   if (IsMicrosoftModule(
@@ -332,6 +320,22 @@ void IncompatibleApplicationsUpdater::OnNewModuleFound(
     return;
   }
 
+  // Whitelist modules in the same directory as the executable. This serves 2
+  // purposes:
+  // - In unsigned builds, this whitelists all of the DLL that are part of
+  //   Chrome.
+  // - It avoids an issue with the simple heuristic used to determine to which
+  //   application a DLL belongs. If an injected third-party DLL is first copied
+  //   into Chrome's directory, Chrome will blame itself as an incompatible
+  //   application.
+  base::FilePath exe_path;
+  if (base::PathService::Get(base::DIR_EXE, &exe_path) &&
+      exe_path.DirName().IsParent(module_key.module_path)) {
+    module_warning_decisions_[module_key.module_id] =
+        ModuleWarningDecision::kAllowedSameDirectory;
+    return;
+  }
+
   // Skip modules whitelisted by the Module List component.
   if (module_list_filter_->IsWhitelisted(module_key, module_data)) {
     module_warning_decisions_[module_key.module_id] =

chrome/browser/conflicts/incompatible_applications_updater_win.h

@@ -47,7 +47,7 @@ class IncompatibleApplicationsUpdater : public ModuleDatabaseObserver {
     // validated.
     kAllowedSameCertificate,
     // Allowed because the path of the executable is the parent of the path of
-    // the module. Only used in non-official builds.
+    // the module.
     kAllowedSameDirectory,
     // Allowed because it is signed by Microsoft. The certificate is not
     // validated.

chrome/browser/ui/webui/conflicts/conflicts_handler.cc

@@ -34,10 +34,19 @@ namespace {
 constexpr char kNotLoaded[] = "Not loaded";
 constexpr char kAllowedInputMethodEditor[] = "Allowed - Input method editor";
 constexpr char kAllowedMatchingCertificate[] = "Allowed - Matching certificate";
-constexpr char kAllowedSameDirectory[] =
-    "Allowed - In executable directory (dev builds only)";
 constexpr char kAllowedMicrosoftModule[] = "Allowed - Microsoft module";
 constexpr char kAllowedWhitelisted[] = "Allowed - Whitelisted";
+constexpr char kAllowedSameDirectory[] =
+#if defined(OFFICIAL_BUILD)
+    // In official builds, modules in the Chrome directory are blocked but they
+    // won't cause a warning because the warning would blame Chrome itself.
+    "Tolerated - In executable directory";
+#else  // !defined(OFFICIAL_BUILD)
+    // In developer builds, DLLs that are part of Chrome are not signed and thus
+    // the easy way to identify them is to check that they are in the same
+    // directory (or child folder) as the main exe.
+    "Allowed - In executable directory (dev builds only)";
+#endif
 
 void AppendString(base::StringPiece input, std::string* output) {
   if (!output->empty())