From 938381c1ba24e4b0abccdce19f12f2f0cbe15866 Mon Sep 17 00:00:00 2001 From: Rob Mensching Date: Wed, 15 Nov 2017 13:01:53 -0800 Subject: [PATCH] When elevated place clean room in system Temp folder To prevent DLL hijacking the clean room process when launched elevated, the system Temp folder will be used instead of the user's temp folder. This ensures the user cannot slip malicious DLLs into the clean room. Fixes wixtoolset/issues#5724 --- src/burn/engine/cache.cpp | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/burn/engine/cache.cpp b/src/burn/engine/cache.cpp index fd9a43889..46dc4146f 100644 --- a/src/burn/engine/cache.cpp +++ b/src/burn/engine/cache.cpp @@ -1104,13 +1104,29 @@ static HRESULT CalculateWorkingFolder( { HRESULT hr = S_OK; RPC_STATUS rs = RPC_S_OK; + BOOL fElevated = FALSE; WCHAR wzTempPath[MAX_PATH] = { }; UUID guid = {}; WCHAR wzGuid[39]; if (!vsczWorkingFolder) { - if (0 == ::GetTempPathW(countof(wzTempPath), wzTempPath)) + ProcElevated(::GetCurrentProcess(), &fElevated); + + if (fElevated) + { + if (!::GetWindowsDirectoryW(wzTempPath, countof(wzTempPath))) + { + ExitWithLastError(hr, "Failed to get windows path for working folder."); + } + + hr = PathFixedBackslashTerminate(wzTempPath, countof(wzTempPath)); + ExitOnFailure(hr, "Failed to ensure windows path for working folder ended in backslash."); + + hr = ::StringCchCatW(wzTempPath, countof(wzTempPath), L"Temp\\"); + ExitOnFailure(hr, "Failed to concat Temp directory on windows path for working folder."); + } + else if (0 == ::GetTempPathW(countof(wzTempPath), wzTempPath)) { ExitWithLastError(hr, "Failed to get temp path for working folder."); }