Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
ExecXmlConfig, ExecXmlFile and ComPlusInstallExecute CAs expose sensitive data in log file #4956
Greetings, Gurus of Installer!
I'd like to make request to mark ExecXmlConfig, ExecXmlFile and ComPlusInstallExecute custom actions with Hidden Target flag as it is done for ConfigureIIs7Exec, for instance.
We have CA to encrypt configs, but we use XmlConfig to put passwords there. We also install COM+ application with provided user credentials.
There is a partial _workaround_ for Xml CAs: you have to explicitly define ExecXmlConfig and ExecXmlFile properties with Hidden attribute to hide their values in the property dump at the end of log; and create stab XmlConfig/XmlFile nodes before the one with sensitive data till the value of ExecXmlConfig and ExecXmlFile properties are truncated enough when CA is executed.
I didn't find any workarounds for ComPlusInstallExecute CA though.
I know this is a veeeery old issue, but hey! better late than never, right? Btw congrats with 3.10 release!
The workaround of marking the appropriate properties as hidden works today. The feature request is to create a set of parallel "secure" custom action entry points that hide everything by default.
No, marking property as hidden does not solve problem completely. You can still see CustomActionData value when CA is called. For instance:
Executing op: CustomActionSchedule(Action=ExecXmlConfig,ActionType=3073,Source=BinaryData,Target=ExecXmlConfig,CustomActionData=1�C:\Program Files (x86)\Google\Google SketchUp 6\Plugins\IESLink\Dialogs\IESveInterfaceParameters.xml�3�/IESInterface/IESveLocation���C:\Program