NSIS: Quote uninstaller path when executing it in a shell

Protect our `$0` reference in the shell as `"$0"`.  Otherwise it works
with a space in the path only due to an insecure Windows feature.

Prior to this fix, any installer using the option added by commit
v2.8.9~234^2 (Added CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL,
2011-06-11) exposes a local privilege escalation vulnerability.

Reported-by: Amir Szekely <kichik@gmail.com>
Reported-by: Ug_0 Security
This commit is contained in:
Justin Clift 2016-07-15 14:18:37 +01:00 committed by Brad King
parent e31084e657
commit 11768733d3
2 changed files with 7 additions and 1 deletions

View File

@ -308,3 +308,9 @@ Other Changes
preferred future use is upper cased component names in variables.
New variables that will be added to CPackRPM in later versions
will only support upper cased component variable format.
* The CPack NSIS generator's configuration file template was fixed to
quote the path to the uninstaller tool used by the
:variable:`CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL` option.
This avoids depending on an insecure Windows feature to run an
uninstaller tool with a space in the path.

View File

@ -920,7 +920,7 @@ uninst:
ClearErrors
StrLen $2 "\Uninstall.exe"
StrCpy $3 $0 -$2 # remove "\Uninstall.exe" from UninstallString to get path
ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file
ExecWait '"$0" _?=$3' ;Do not copy the uninstaller to a temp file
IfErrors uninst_failed inst
uninst_failed: