PGP the files, then send the public key over CustomActionData. :-D Is
that *too* creative?
Chris
On Tue, May 6, 2008 at 2:41 PM, Rob Mensching <[EMAIL PROTECTED]>
wrote:
> Note: if you extract code files out during the script generation phase
> then use them during the execution phase and your deferred Custom Action is
> elevated, you could be open to an elevation of rights attack. Namely, the
> attacker could wait for your first custom action to lay down the DLLs to the
> temp drive (or wherever) then quickly replace them with malicious code and
> wait for your elevated Custom Action to execute the malicious code. The
> malicious code can do whatever it wants (like add the attacker to
> Administrators group). This attack is why we haven't provided such utility
> code in the WiX toolset.
>
>
>
> The obvious fix (off the top of my head) is to marshal all of the DLLs
> code through CustomActionData. That's kinda crazy… string encoding binary
> code, but it might work. <grin/> Maybe there is an easier way.
>
>
>
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Dwyer, Shawn
> *Sent:* Tuesday, May 06, 2008 10:00
> *To:* Kiran Subhedar (Sogeti); Blair Murri
>
> *Cc:* wix-users@lists.sourceforge.net
> *Subject:* Re: [WiX-users] Need assistance!
>
>
>
> We use a similar approach of storing support files in a Binary table and
> extracting them to %TEMP% during a custom action. However one thing we ran
> into was that during the custom actions that wanted to use these files,
> %TEMP% was not the same as where we extracted them to. This was due to each
> msiexec process being run under a different session, which can be the case
> when installing through terminal services (remote desktop), and on Wiindows
> Server 2003 and 2008.
>
>
>
> As a work around we had the 'ExtractSupportFiles' custom action also write
> the path it extracted to in the registry and referenced that in later custom
> actions rather than %TEMP%.
>
>
>
> Just something to watch out for.
>
>
> ------------------------------
>
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Kiran Subhedar
> (Sogeti)
> *Sent:* Monday, May 05, 2008 10:34 PM
> *To:* Blair Murri
> *Cc:* wix-users@lists.sourceforge.net
> *Subject:* Re: [WiX-users] Need assistance!
>
>
>
> Thanks again Blair! That's a very nice idea. Can you point me to some code
> or site which can get me started?
>
>
>
> Also I had another way (as explained in this link:
> http://blog.deploymentengineering.com/2006/12/managed-code-can-access-msihandle_10.html),
> using which a C++ CA will pass the MSI handle to the managed CA. In this
> way the managed CA could access Binary table and execute the files. But this
> means a lot of work as I need to host the CLR, then create the app domain,
> then load and execute the assemblies. This indeed means a lot of work.
>
>
>
> I liked you approach so I will give it a try.
>
>
>
> Thanks again!
>
>
>
> Kiran
>
>
>
> *From:* Blair Murri [mailto:[EMAIL PROTECTED]
> *Sent:* Monday, May 05, 2008 7:19 PM
> *To:* Kiran Subhedar (Sogeti)
> *Cc:* wix-users@lists.sourceforge.net
> *Subject:* RE: Need assistance!
>
>
>
> What I have seen others use is a C++ DLL CustomAction that extracts all
> needed files from the Binary table to the %TEMP% directory, leaving them
> there, and the deferred CAs then use/consume those files using the TEMP
> environment variable to find them. If you really shouldn't leave the files
> around, you could add a rollback/commit CA that erases them from the %TEMP%
> folder.
>
>
>
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Kiran Subhedar
> (Sogeti)
> *Sent:* Monday, May 05, 2008 7:07 PM
> *To:* Blair Murri
> *Cc:* wix-users@lists.sourceforge.net
> *Subject:* Re: [WiX-users] Need assistance!
>
>
>
> Thanks Blair! I could not use a Binary table since the executables
> executing in-turn depend on one or other files. Moreover these are console
> applications so they will show a pop-up when the CA is executed. Also the
> CA's are deferred actions. So I think a Binary table wouldn't come to my
> rescue.
>
>
>
> Thanks,
>
> Kiran
>
>
>
> *From:* Blair Murri [mailto:[EMAIL PROTECTED]
> *Sent:* Monday, May 05, 2008 6:37 PM
> *To:* Kiran Subhedar (Sogeti)
> *Cc:* wix-users@lists.sourceforge.net
> *Subject:* RE: Need assistance!
>
>
>
> You could try using the Binary table instead of the File table to store
> the support files. You would need to extract then yourself in a custom
> action, but it could be the same custom action if that CA is not deferred.
>
>
>
> *From:* [EMAIL PROTECTED] [mailto:
> [EMAIL PROTECTED] *On Behalf Of *Kiran Subhedar
> (Sogeti)
> *Sent:* Monday, May 05, 2008 2:31 PM
> *To:* wix-users@lists.sourceforge.net
> *Subject:* [WiX-users] Need assistance!
>
>
>
> Hi,
>
> I am having an issue over here. I am using a custom action which uses some
> support files. The action is required to run both in installation and
> un-installation phases. But the support files needs to be removed after
> installation. That means I will require these files again during
> un-installation. How can I remove files after installation and again
> install\remove them after un-installation? Any help would be appreciated.
>
>
>
> Thanks,
>
> Kiran
>
> -------------------------------------------------------------------------
> This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
> Don't miss this year's exciting event. There's still time to save $100.
> Use priority code J8TL2D2.
>
> http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
> _______________________________________________
> WiX-users mailing list
> WiX-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/wix-users
>
>
-------------------------------------------------------------------------
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference
Don't miss this year's exciting event. There's still time to save $100.
Use priority code J8TL2D2.
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone
_______________________________________________
WiX-users mailing list
WiX-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/wix-users
