dragonleo/NSIS
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

myGetProcAddress now uses a full path to the system directory when calling LoadLibrary to avoid application directory dll hijacking of SHFolder.dll

Browse source 
git-svn-id: https://svn.code.sf.net/p/nsis/code/NSIS/trunk@6634 212acab6-be3b-0410-9dea-997c60f758d6
This commit is contained in:
anders_k 2015-11-06 02:42:35 +00:00
parent d7ac356d0e
commit caf00a1195
3 changed files with 31 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

2
Docs/src/history.but
View file

@ -12,6 +12,8 @@ Released on ? ?th, 201?
\b FileReadUTF16LE now skips the optional BOM at the start of a file \b FileReadUTF16LE now skips the optional BOM at the start of a file
\b SHFolder.dll is loaded with full path to prevent dll hijacking
\S2{} Minor Changes \S2{} Minor Changes
\b Fixed System plugin GUID type output bug on Win98 \b Fixed System plugin GUID type output bug on Win98

22
Source/exehead/Main.c
View file

@ -98,17 +98,17 @@ EXTERN_C void NSISWinMainNOCRT()
} }
#endif #endif
// load shfolder.dll before any script code is executed to avoid // Because myGetProcAddress now loads dlls with a full path
// weird situations where SetOutPath or even the extraction of // under GetSystemDirectory() the previous issues in <= v3.0b2 with
// shfolder.dll will cause unexpected behavior. // 'SetOutPath' and/or 'File "shfolder.dll"' no longer apply.
// // All MGA dlls still need to be loaded early here because installers
// this also prevents the following: // running under WoW64 might disable WoW64 FS redirection in .onInit and
// // because GetSystemDirectory() can return the native system32 path we need
// SetOutPath "C:\Program Files\NSIS" # maybe read from reg // the redirection to be turned off so LoadLibrary uses the correct folder.
// File shfolder.dll // Note: We also import directly from KERNEL32, ADVAPI32 and SHELL32 so they
// Delete $PROGRAMFILES\shfolder.dll # can't be deleted, as the // are exempt from this requirement and SHELL32 imports from SHLWAPI on
// # new shfolder.dll is used // WoW64 systems and it is also on the KnownDLLs list so
// # to find its own path. // SHLWAPI also gets a pass and that just leaves SHFOLDER.
g_SHGetFolderPath = myGetProcAddress(MGA_SHGetFolderPath); g_SHGetFolderPath = myGetProcAddress(MGA_SHGetFolderPath);
{ {

23
Source/exehead/util.c
View file

@ -1113,12 +1113,25 @@ struct MGA_FUNC MGA_FUNCS[] = {
*/ */
void * NSISCALL myGetProcAddress(const enum myGetProcAddressFunctions func) void * NSISCALL myGetProcAddress(const enum myGetProcAddressFunctions func)
{ {
const char *dll = MGA_FUNCS[func].dll; #ifdef UNICODE
HMODULE hModule = GetModuleHandleA(dll); static const TCHAR dllpathfmt[] = _T("%s%hs.dll"); // Strings in MGA_FUNC are always ANSI
#else
static const TCHAR dllpathfmt[] = _T("%s%s.dll");
#endif
HMODULE hModule;
const char *dllname = MGA_FUNCS[func].dll;
TCHAR buf[MAX_PATH+1+20+4+!0]; // 20+4 is more than enough for the dllnames we are using
UINT cch = GetSystemDirectory(buf, MAX_PATH);
if (cch > MAX_PATH) // MAX_PATH was somehow not large enough and we don't support
cch = 0; // \\?\ paths so we have to settle for just the name.
wsprintf(buf + cch, dllpathfmt, _T("\\") + (!cch || buf[cch-1] == '\\'), dllname);
hModule = GetModuleHandleA(dllname); // Avoid LoadLibrary if possible because
if (!hModule) // it can crash on 64-bit dlls if
hModule = LoadLibrary(buf); // WoW64 FS redirection is off.
if (!hModule) if (!hModule)
hModule = LoadLibraryA(dll); return (FARPROC) hModule; // Optimized "return NULL;"
if (!hModule)
return NULL;
return GetProcAddress(hModule, MGA_FUNCS[func].func); return GetProcAddress(hModule, MGA_FUNCS[func].func);
} }