New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ExecXmlConfig, ExecXmlFile and ComPlusInstallExecute CAs expose sensitive data in log file #4956

Closed
wixbot opened this Issue Nov 12, 2015 · 4 comments

Comments

Projects
None yet
3 participants
@wixbot
Collaborator

wixbot commented Nov 12, 2015

Greetings, Gurus of Installer!

I'd like to make request to mark ExecXmlConfig, ExecXmlFile and ComPlusInstallExecute custom actions with Hidden Target flag as it is done for ConfigureIIs7Exec, for instance.

We have CA to encrypt configs, but we use XmlConfig to put passwords there. We also install COM+ application with provided user credentials.

There is a partial _workaround_ for Xml CAs: you have to explicitly define ExecXmlConfig and ExecXmlFile properties with Hidden attribute to hide their values in the property dump at the end of log; and create stab XmlConfig/XmlFile nodes before the one with sensitive data till the value of ExecXmlConfig and ExecXmlFile properties are truncated enough when CA is executed.

I didn't find any workarounds for ComPlusInstallExecute CA though.

I know this is a veeeery old issue, but hey! better late than never, right? Btw congrats with 3.10 release!

Originally opened by verba.vadim

@wixbot

This comment has been minimized.

Collaborator

wixbot commented Nov 14, 2015

The workaround of marking the appropriate properties as hidden works today. The feature request is to create a set of parallel "secure" custom action entry points that hide everything by default.

Release changed from v3.10 to v3.x
Type changed from Bug to Feature

@wixbot

This comment has been minimized.

Collaborator

wixbot commented Nov 17, 2015

No, marking property as hidden does not solve problem completely. You can still see CustomActionData value when CA is called. For instance:

Executing op: CustomActionSchedule(Action=ExecXmlConfig,ActionType=3073,Source=BinaryData,Target=ExecXmlConfig,CustomActionData=1�C:\Program Files (x86)\Google\Google SketchUp 6\Plugins\IESLink\Dialogs\IESveInterfaceParameters.xml�3�/IESInterface/IESveLocation���C:\Program
Files (x86)\IES\VE 59\apps�0)

Originally posted by verba.vadim
Status changed from Open to Untriaged

@wixbot wixbot added this to the v3.x milestone Dec 20, 2015

@fyodorkor

This comment has been minimized.

Collaborator

fyodorkor commented Jan 19, 2017

Hi,
All deferred Custom Actions that can have sensitive information must be marked with attribute 'HideTarget'. I would like to fix this defect.

@barnson barnson modified the milestones: v3.11, v3.x Jan 31, 2017

@barnson

This comment has been minimized.

Member

barnson commented Jan 31, 2017

@barnson barnson closed this Feb 12, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment