diff options
author | AkshayK <iit.akshay@gmail.com> | 2021-06-11 22:04:03 +0300 |
---|---|---|
committer | Richard Lau <rlau@redhat.com> | 2021-06-28 13:07:57 +0300 |
commit | a52790cba097d20c246645827397ffc19fc2e7d9 (patch) | |
tree | 360308bc8b41ed79bb0b9d47944b287e0b017eb6 | |
parent | 623fd1fcb557985bf452984856c1d0ce4fc096a7 (diff) |
win,msi: set install directory permission
Explicitly set permission for Windows install directory.
CVE-ID: CVE-2021-22921
Refs: https://hackerone.com/reports/1211160
PR-URL: https://github.com/nodejs-private/node-private/pull/269
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
-rwxr-xr-x | tools/msvs/msi/product.wxs | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/tools/msvs/msi/product.wxs b/tools/msvs/msi/product.wxs index f008ea7f9ad..ce53647a135 100755 --- a/tools/msvs/msi/product.wxs +++ b/tools/msvs/msi/product.wxs @@ -46,6 +46,13 @@ <Property Id="ApplicationFolderName" Value="nodejs"/> <Property Id="WIXUI_INSTALLDIR" Value="INSTALLDIR"/> + <!-- PropertyRef of the account users for setting InstallDir permission explicitly --> + <Property Id="AUTHENTICATED_USERS" Value="Authenticated Users"/> + + <PropertyRef Id="WIX_ACCOUNT_LOCALSYSTEM" /> + <PropertyRef Id="WIX_ACCOUNT_USERS" /> + <PropertyRef Id="WIX_ACCOUNT_ADMINISTRATORS" /> + <Property Id="INSTALLDIR" Secure="yes"> <RegistrySearch Id="InstallPathRegistry" Type="raw" @@ -73,6 +80,7 @@ <ComponentRef Id="NodeStartMenu"/> <ComponentRef Id="AppData" /> <ComponentRef Id="InstallToolsBat" /> + <ComponentRef Id="SetInstallDirPermission" /> <ComponentGroupRef Id="Product.Generated"/> <Feature Id="NodeEtwSupport" @@ -93,6 +101,7 @@ <ComponentRef Id="NpxBashScript"/> <ComponentRef Id="NpmConfigurationFile"/> <ComponentRef Id="AppData" /> + <ComponentRef Id="SetInstallDirPermission" /> <ComponentGroupRef Id="NpmSourceFiles"/> </Feature> @@ -169,6 +178,20 @@ <?endif?> </DirectoryRef> + <DirectoryRef Id="INSTALLDIR"> + <!-- Create component for setting the install directory permission explicitly --> + <Component Id="SetInstallDirPermission" Guid="{EFFC4F74-183A-4237-BBD7-0CAD2B950053}"> + <CreateFolder> + <Permission User="[WIX_ACCOUNT_USERS]" GenericRead="yes" Traverse="yes" GenericExecute="yes" Synchronize="yes" + GenericWrite="no" WriteAttributes="no" WriteExtendedAttributes="no"/> + <Permission User="[AUTHENTICATED_USERS]" GenericRead="yes" Traverse="yes" GenericExecute="yes" Synchronize="yes" + GenericWrite="no" WriteAttributes="no" WriteExtendedAttributes="no"/> + <Permission User="[WIX_ACCOUNT_ADMINISTRATORS]" GenericAll="yes"/> + <Permission User="[WIX_ACCOUNT_LOCALSYSTEM]" GenericAll="yes"/> + </CreateFolder> + </Component> + </DirectoryRef> + <DirectoryRef Id="ApplicationProgramsFolder"> <Component Id="NodeStartMenu"> <!-- RegistryValue needed because every Component must have a KeyPath. |