NSIS: Quote uninstaller path when executing it in a shell

Protect our `$0` reference in the shell as `"$0"`. Otherwise it works with a space in the path only due to an insecure Windows feature. Prior to this fix, any installer using the option added by commit v2.8.9~234^2 (Added CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL, 2011-06-11) exposes a local privilege escalation vulnerability. Reported-by: Amir Szekely <kichik@gmail.com> Reported-by: Ug_0 Security
2016-07-15 14:18:37 +01:00 · 2016-07-15 14:18:37 +01:00 · 11768733d3
parent e31084e657
commit 11768733d3
2 changed files with 7 additions and 1 deletions
--- a/Help/release/3.6.rst
+++ b/Help/release/3.6.rst
@ -308,3 +308,9 @@ Other Changes
  preferred future use is upper cased component names in variables.
  New variables that will be added to CPackRPM in later versions
  will only support upper cased component variable format.
+
+* The CPack NSIS generator's configuration file template was fixed to
+  quote the path to the uninstaller tool used by the
+  :variable:`CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL` option.
+  This avoids depending on an insecure Windows feature to run an
+  uninstaller tool with a space in the path.
--- a/Modules/NSIS.template.in
+++ b/Modules/NSIS.template.in
@ -920,7 +920,7 @@ uninst:
  ClearErrors
  StrLen $2 "\Uninstall.exe"
  StrCpy $3 $0 -$2 # remove "\Uninstall.exe" from UninstallString to get path
-  ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file
+  ExecWait '"$0" _?=$3' ;Do not copy the uninstaller to a temp file

  IfErrors uninst_failed inst
 uninst_failed: