Yes, I've tried modifying it as a test and it still displays connection string.
J On May 6, 2013, at 11:55 AM, "Hoover, Jacob" <jacob.hoo...@greenheck.com> wrote: > Are they setting a property within their CA called ConnectionString? > > -----Original Message----- > From: Phil Wilson [mailto:phil.wil...@mvps.org] > Sent: Monday, May 06, 2013 11:48 AM > To: 'General discussion for Windows Installer XML toolset.' > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file > > In context, that full log entry was previously posted as: > =========================================== > Action start 17:26:56: InstallFinalize. > SFXCA: Extracting custom action to temporary directory: > C:\WINDOWS\Installer\MSI1045.tmp-\ > SFXCA: Binding to CLR version v2.0.50727 Calling custom action > DatabaseCA!DatabaseCA.CustomActions.DatabaseCA > > Begin DatabaseCA > > Connecton String: Data Source=source;Packet > Size=4096;Uid=sqluser;Pwd=mypassword > ========================================= > > Whicc is DTF doing the logging, methinks. Jeremiahf didn't show all the data > in that recent reply, so without the SFXCA prefix it is misleading. > > Phil > > -----Original Message----- > From: Jeremiahf [mailto:jeremi...@gmail.com] > Sent: Monday, May 06, 2013 8:08 AM > To: General discussion for Windows Installer XML toolset. > Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in MSI log file > > Hi Rob, > > I'm pretty certain it is the installer logging what the custom action is > doing. I ran the installer in verbose mode and noticed the password and > server parameters were not being displayed in plain text. > MSI (c) (A8:F8) [09:58:01:363]: Command Line: USERNAME=sa > PASSWORD=********** SERVER=********** > Then when my custom action is called it is logging sql connection string in > plain text. > Begin DatabaseCA > Connecton String: Data Source=source;Packet Size=4096;Uid=sqluser;Pwd= > mypassword > > J > > > On Sat, May 4, 2013 at 1:49 AM, Rob Mensching <r...@robmensching.com> wrote: > >> Is the message showing the password actually being logged by the >> custom action itself? >> >> >> On Fri, May 3, 2013 at 3:53 PM, Jeremiahf <jeremi...@gmail.com> wrote: >> >>> Steven, >>> >>> "Tried adding: HideTarget="yes" that didn't help" Indeed! >>> >>> I'm even tried to remove logging from the custom action and I still >>> see >> the >>> password... >>> I've even checked MsiHiddenProperties and see that PASSWORD is >>> listed >> along >>> with CA_DBAction... Not in SecureCustomProperties... I added > secure="yes" >>> and now it is there.. Execute the installer with logging and it is >>> still unsecure in plain text in the log. It must be between the MSI >>> installer >> and >>> the SQL connection that is being made. Thoughts? >>> >>> J >>> >>> >>> On Fri, May 3, 2013 at 1:48 PM, Steven Ogilvie >>> <steven.ogil...@titus.com >>>> wrote: >>> >>>> I was not using managed code custom actions... >>>> >>>> I was doing: >>>> <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" Secure="yes"/> >>>> >>>> <CustomAction Id="CA_WebAppPoolPassword.SetProperty" >>>> Property="CA_WebAppPoolPassword." >>>> Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/> >>>> Tried adding: HideTarget="yes" that didn't help >>>> <InstallExecuteSequence> >>>> <Custom Action="CA_WebAppPoolPassword.SetProperty" >>>> After="CA_DataBasePassword.SetProperty">NOT Installed</Custom> >>>> >>>> This property was in a custom dialog: >>>> <Control Id="labelPassword" Type="Text" Height="15" Width="152" X="17" >>>> Y="152" Text="Web App Pool user password:" Transparent="yes" >>> NoPrefix="yes" >>>> /> >>>> <Control Id="textBoxPassword" Type="Edit" Height="15" Width="177" >> X="180" >>>> Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" TabSkip="no" >>>> /> <Publish Property="WEBAPPPOOL_PASSWORD" > Value="[WEBAPPPOOL_PASSWORD]" >>>> Order="9">1</Publish> >>>> >>>> It was the custom action " CA_WebAppPoolPassword.SetProperty " >>>> that was displaying the property in the MSI log file. >>>> >>>> Took it out and now the password is not being displayed in plain >>> letters... >>>> >>>> Steve >>>> >>>> >>>> -----Original Message----- >>>> From: Phil Wilson [mailto:phil.wil...@mvps.org] >>>> Sent: May-03-13 2:27 PM >>>> To: 'General discussion for Windows Installer XML toolset.' >>>> Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in >>>> MSI log file >>>> >>>> The way it works in MSI isn't really mysterious. Basically the >>>> property name needs to be public (and that means it must be all >>>> uppercase). If >> WiX >>>> does its thing properly then you can open the generated MSI file >>>> with >> an >>>> editor such as Orca, look in the Properties table, and in the >>>> Property table there'll be a SecureCustomProperties property and >>>> your property >>> name >>>> will be in that list. >>>> >>>> This works. If it didn't work then Microsoft would be all over it >>>> as a security bug. >>>> >>>> Generally speaking, people get account passwords from a MSI dialog >>>> and store it in a property such as MYPASSWORD, and then pass it to >>>> a custom action that uses it. >>>> >>>> However, you're using managed code custom actions, and it seems >>>> from >> the >>>> log that the (DTF?) code just does its own logging into the MSI >>>> log >>> without >>>> caring whether there's a password in there. So it may be a DTF >>>> thing, >> not >>>> sure, and if it is then HideTarget etc won't help at all. The >>>> short >>> answer >>>> is that if the DTF code is logging a connection string that >>>> typically contains a password, then it probably shouldn't. >>>> >>>> Phil >>>> >>>> -----Original Message----- >>>> From: Jeremiahf [mailto:jeremi...@gmail.com] >>>> Sent: Thursday, May 02, 2013 4:17 PM >>>> To: General discussion for Windows Installer XML toolset. >>>> Subject: Re: [WiX-users] WiX-users] Hide/blank out Passwords in >>>> MSI log file >>>> >>>> Hi Steve, >>>> >>>> My requirements are strictly to use command line. Crazy? Maybe. I >>>> have >> to >>>> say I have seen this topic all over blogs. Seems like there is >>>> always a way, you just have to figure out how.... >>>> >>>> >>>> On Thu, May 2, 2013 at 5:43 PM, Steven Ogilvie >>>> <steven.ogil...@titus.com>wrote: >>>> >>>>> Hmm... I commented out my custom action that sets the property: >>>>> <!--<CustomAction Id="CA_WebAppPoolPassword.SetProperty" >>> HideTarget="yes" >>>>> Property="CA_WebAppPoolPassword." >>>>> Value="WEBAPPPOOL_PASSWORD=[WEBAPPPOOL_PASSWORD]"/>--> >>>>> >>>>> And ran the install, everything worked and my Web App Pool + Web >>>>> site launched without errors (would have failed if I didn't have >>>>> a >> password >>>>> for the Web App Pool) >>>>> >>>>> However I do publish the property during the UI: >>>>> <Publish Property="WEBAPPPOOL_PASSWORD" > Value="[WEBAPPPOOL_PASSWORD]" >>>>> Order="9">1</Publish> (my web site info dialog page during >>>>> install) >>>>> >>>>> I checked my MSI log file and there wasn't any viewable strings >>>>> for the WebAppPool_Password it was all: WEBAPPPOOL_PASSWORD >>>>> property. Its value is '**********' >>>>> >>>>> Publish your password within the UI area and see if that works... >>>>> (also commenting out your custom action to set the property >>>>> >>>>> Steve >>>>> >>>>> -----Original Message----- >>>>> From: Jeremiahf [mailto:jeremi...@gmail.com] >>>>> Sent: May-02-13 6:29 PM >>>>> To: General discussion for Windows Installer XML toolset. >>>>> Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log >>>>> file >>>>> >>>>> Sure thing... >>>>> >>>>> Action start 17:26:56: CA_DBAction. >>>>> Action ended 17:26:56: CA_DBAction. Return value 1. >>>>> Action start 17:26:56: InstallFinalize. >>>>> SFXCA: Extracting custom action to temporary directory: >>>>> C:\WINDOWS\Installer\MSI1045.tmp-\ >>>>> SFXCA: Binding to CLR version v2.0.50727 Calling custom action >>>>> DatabaseCA!DatabaseCA.CustomActions.DatabaseCA >>>>> Begin DatabaseCA >>>>> Connecton String: Data Source=source;Packet >>>>> Size=4096;Uid=sqluser;Pwd=mypassword >>>>> >>>>> I as well have a custom action and HideTarget does nothing. >>>>> >>>>> >>>>> On Thu, May 2, 2013 at 4:53 PM, Chad Petersen >>>>> <chad.peter...@harlandfs.com>wrote: >>>>> >>>>>> If possible paste in a snippet of your log file around where >>>>>> the password is seen. I tried for a long time to hide >>>>>> passwords using the >>>>> same method. >>>>>> But it was some built-in custom actions that were logging my >>>>>> passwords rather than code I'd written myself. >>>>>> >>>>>> <Property Id="ConfigureIIsExec" Hidden="yes"/> <Property >>>>>> Id="ExecuteSqlStrings" Hidden="yes"/> >>>>>> >>>>>> These were two entries that I made to make those extensions >>>>>> hide >> the >>>>>> data passed to them, such as my password. >>>>>> >>>>>> -----Original Message----- >>>>>> From: Jeremiahf [mailto:jeremi...@gmail.com] >>>>>> Sent: Thursday, May 02, 2013 2:38 PM >>>>>> To: General discussion for Windows Installer XML toolset. >>>>>> Subject: Re: [WiX-users] Hide/blank out Passwords in MSI log >>>>>> file >>>>>> >>>>>> I have tried that and no luck. My MSI is installed via command >> line. >>>>>> >>>>>> I've even tried to give the property Id a value in case I >>>>>> missed something and still doesn't work. >>>>>> >>>>>> <Property Id="PASSWORD" Value="password" Hidden="yes" Secure="yes" >>>>>> /> >>>>>> >>>>>> My test system is running Server 2003 R2 SP 2 windows >>>>>> installer version >>>>>> 4.5 6001.22159 >>>>>> >>>>>> I've upgraded from WIX 3.6 TO 3.7 in case it was a bug as I >>>>>> have found in hundreds of blogs online but every time I see >>>>>> that a fix was submitted, I can't tell what version it was > submitted in. >> (sorry >>>>>> for the run on >>>>>> sentence.) >>>>>> >>>>>> J >>>>>> >>>>>> >>>>>> On Thu, May 2, 2013 at 4:24 PM, Steven Ogilvie >>>>>> <steven.ogil...@titus.com >>>>>>> wrote: >>>>>> >>>>>>> I declare the property: >>>>>>> <Property Id="WEBAPPPOOL_PASSWORD" Hidden="yes" >>>>>>> Secure="yes"/> This is how I use my password controls: >>>>>>> <Control Id="textBoxPassword" Type="Edit" Height="15" > Width="177" >>>>> X="180" >>>>>>> Y="152" Property="WEBAPPPOOL_PASSWORD" Password="yes" >> TabSkip="no" >>>>>>> /> >>>>>>> >>>>>>> Logfile: >>>>>>> MSI (c) (70:1C) [14:50:59:778]: PROPERTY CHANGE: Adding >>>>>>> WEBAPPPOOL_PASSWORD property. Its value is '**********' >>>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: Jeremiahf [mailto:jeremi...@gmail.com] >>>>>>> Sent: May-02-13 5:08 PM >>>>>>> To: wix-users@lists.sourceforge.net >>>>>>> Subject: [WiX-users] Hide/blank out Passwords in MSI log >>>>>>> file >>>>>>> >>>>>>> Has anyone had luck with this? >>>>>>> >>>>>>> >>>>>>> >>>>>>> I have tried using Hidden, HideTarget and I still see the >>>>>>> password in my logs. Is this still a bug in windows installer? >>>>>>> >>>>>>> >>>>>>> >>>>>>> Thanks in advance, >>>>>>> >>>>>>> >> ------------------------------------------------------------------ >>>>>>> -- >>>>>>> -- >>>>>>> -------- Get 100% visibility into Java/.NET code with >>>>>>> AppDynamics Lite It's a free troubleshooting tool designed >>>>>>> for production Get down to code-level detail for >>>>>>> bottlenecks, > with <2% overhead. >>>>>>> Download for free and get started troubleshooting in minutes. >>>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>>> _______________________________________________ >>>>>>> WiX-users mailing list >>>>>>> WiX-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>>> >>>>>>> >>>>>>> >> ------------------------------------------------------------------ >>>>>>> -- >>>>>>> -- >>>>>>> -------- Get 100% visibility into Java/.NET code with >>>>>>> AppDynamics Lite It's a free troubleshooting tool designed >>>>>>> for production Get down to code-level detail for >>>>>>> bottlenecks, > with <2% overhead. >>>>>>> Download for free and get started troubleshooting in minutes. >>>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>>> _______________________________________________ >>>>>>> WiX-users mailing list >>>>>>> WiX-users@lists.sourceforge.net >>>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> "They may forget what you said but they will never forget how >>>>>> you made them feel." -- Anonymous >>>>>> >>>>>> >> -------------------------------------------------------------------- >>>>>> -- >>>>>> -------- Get 100% visibility into Java/.NET code with >>>>>> AppDynamics Lite It's a free troubleshooting tool designed for >>>>>> production Get down to code-level detail for bottlenecks, with >>>>>> <2% > overhead. >>>>>> Download for free and get started troubleshooting in minutes. >>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>> _______________________________________________ >>>>>> WiX-users mailing list >>>>>> WiX-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >> -------------------------------------------------------------------- >>>>>> -- >>>>>> -------- Get 100% visibility into Java/.NET code with >>>>>> AppDynamics Lite It's a free troubleshooting tool designed for >>>>>> production Get down to code-level detail for bottlenecks, with >>>>>> <2% > overhead. >>>>>> Download for free and get started troubleshooting in minutes. >>>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>>> _______________________________________________ >>>>>> WiX-users mailing list >>>>>> WiX-users@lists.sourceforge.net >>>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> "They may forget what you said but they will never forget how >>>>> you >> made >>>>> them feel." -- Anonymous >>>>> >>>>> >> ---------------------------------------------------------------------- >>>>> -------- Get 100% visibility into Java/.NET code with >>>>> AppDynamics >> Lite >>>>> It's a free troubleshooting tool designed for production Get >>>>> down to code-level detail for bottlenecks, with <2% overhead. >>>>> Download for free and get started troubleshooting in minutes. >>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>> _______________________________________________ >>>>> WiX-users mailing list >>>>> WiX-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>> >>>>> >>>>> >> ---------------------------------------------------------------------- >>>>> -------- Get 100% visibility into Java/.NET code with >>>>> AppDynamics >> Lite >>>>> It's a free troubleshooting tool designed for production Get >>>>> down to code-level detail for bottlenecks, with <2% overhead. >>>>> Download for free and get started troubleshooting in minutes. >>>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>>> _______________________________________________ >>>>> WiX-users mailing list >>>>> WiX-users@lists.sourceforge.net >>>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>>> >>>> >>>> >>>> >>>> -- >>>> >>>> >>> >> ---------------------------------------------------------------------- >> ------ >>>> -- >>>> Get 100% visibility into Java/.NET code with AppDynamics Lite It's >>>> a >> free >>>> troubleshooting tool designed for production Get down to >>>> code-level >>> detail >>>> for bottlenecks, with <2% overhead. >>>> Download for free and get started troubleshooting in minutes. >>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>> _______________________________________________ >>>> WiX-users mailing list >>>> WiX-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>> >>>> >>>> >>>> >>>> >>> >> ---------------------------------------------------------------------- >> -------- >>>> Get 100% visibility into Java/.NET code with AppDynamics Lite It's >>>> a >> free >>>> troubleshooting tool designed for production Get down to >>>> code-level >>> detail >>>> for bottlenecks, with <2% overhead. >>>> Download for free and get started troubleshooting in minutes. >>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>> _______________________________________________ >>>> WiX-users mailing list >>>> WiX-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>> >>>> >>>> >>> >> ---------------------------------------------------------------------- >> -------- >>>> Get 100% visibility into Java/.NET code with AppDynamics Lite It's >>>> a free troubleshooting tool designed for production Get down to >>>> code-level detail for bottlenecks, with <2% overhead. >>>> Download for free and get started troubleshooting in minutes. >>>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>>> _______________________________________________ >>>> WiX-users mailing list >>>> WiX-users@lists.sourceforge.net >>>> https://lists.sourceforge.net/lists/listinfo/wix-users >>>> >>> >>> >>> >>> -- >>> "They may forget what you said but they will never forget how you >>> made >> them >>> feel." -- Anonymous >>> >>> >> ---------------------------------------------------------------------- >> -------- >>> Get 100% visibility into Java/.NET code with AppDynamics Lite It's a >>> free troubleshooting tool designed for production Get down to >>> code-level detail for bottlenecks, with <2% overhead. >>> Download for free and get started troubleshooting in minutes. >>> http://p.sf.net/sfu/appdyn_d2d_ap2 >>> _______________________________________________ >>> WiX-users mailing list >>> WiX-users@lists.sourceforge.net >>> https://lists.sourceforge.net/lists/listinfo/wix-users >>> >>> >> >> ---------------------------------------------------------------------- >> -------- Get 100% visibility into Java/.NET code with AppDynamics Lite >> It's a free troubleshooting tool designed for production Get down to >> code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://p.sf.net/sfu/appdyn_d2d_ap2 >> _______________________________________________ >> WiX-users mailing list >> WiX-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/wix-users >> > > > > -- > "They may forget what you said but they will never forget how you made them > feel." -- Anonymous > ---------------------------------------------------------------------------- > -- > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get > 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead Download > for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > > > ------------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get > 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead Download > for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > > ------------------------------------------------------------------------------ > Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET > Get 100% visibility into your production application - at no cost. > Code-level diagnostics for performance bottlenecks with <2% overhead > Download for free and get started troubleshooting in minutes. > http://p.sf.net/sfu/appdyn_d2d_ap1 > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users ------------------------------------------------------------------------------ Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET Get 100% visibility into your production application - at no cost. Code-level diagnostics for performance bottlenecks with <2% overhead Download for free and get started troubleshooting in minutes. http://p.sf.net/sfu/appdyn_d2d_ap1 _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
