A repair is really just another (re)install. You could extract them again. If
you call installed files, it can sometimes get tricky if you need to reference
them late during the uninstall... the files could be gone by the time you need
them. This scenario, the desire to hide/not persist the files while not
installing and the desire to consume files during the UI sequence prior to
installation are the three main triggers that drive me to use this type of
pattern.
Also it should be noted that the code injection risk can also occur if a
SysAdmin either enables the always elevate policy or grants non-priv users
modify to the file share containing the MSI. I still feel that the risk is
minimal and that's it's much easier to to just boot off of a usb key or cdrom
and run ntpassword then build the MSI domain knowledge needed to pull off this
type of exploit.
Neil Enns <[EMAIL PROTECTED]> wrote:
Ah. So lets make sure were clear, theres a difference
between asking for can I write files during install to a temporary location
vs. can I clean up some files Ive installed to program files after install J
Good point on the repair, I guess well leave the files around.
Neil
From: Bob Arnson [mailto:[EMAIL PROTECTED]
Sent: May-16-08 8:42 AM
To: Neil Enns
Cc: Rob Mensching; wix-users@lists.sourceforge.net
Subject: Re: [WiX-users] Temporary files in WiX?
Neil Enns wrote:
Thanks for the details, Rob. It sounds like from you write below that the
security issue exists regardless of whether the files are temporary, correct?
Any time you have an installer that writes files to a disk, then executes them
via a deferred custom action, the vulnerability owuld be there?
No, because Program Files is a "secure" location. To write to it, you'd already
need to be admin.
In our specific case, the files we're laying down on disk are the DirectX
9.0c redist files we need, then we execute them at the end of our setup.
In FlightSim, I leave the files installed so I can run repair. FWIW.
--
sig://boB
http://joyofsetup.com/
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2008.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users