On 12/20/2013 02:23 PM, David Connet wrote: >> From: Gerry Reno <gr...@verizon.net> >> To: wix-users@lists.sourceforge.net >> Cc: >> Sent: Friday, December 20, 2013 10:42 AM >> Subject: Re: [WiX-users] ExeCommand will not accept any path with spaces >> >> On 12/20/2013 01:20 PM, David Connet wrote: >>>> From: Gerry Reno <gr...@verizon.net> >>>> To: wix-users@lists.sourceforge.net >>>> Cc: >>>> Sent: Friday, December 20, 2013 10:03 AM >>>> Subject: Re: [WiX-users] ExeCommand will not accept any path with >> spaces >>>> On 12/20/2013 12:49 PM, Edwin Castro wrote: >>>>> On 12/20/13, 9:46 AM, Gerry Reno wrote: >>>>>> On 12/20/2013 10:44 AM, David Connet wrote: >>>>>>>> From: Gerry Reno [mailto:gr...@verizon.net] >>>>>>>> > >>>>>>>>>> <Binary Id='CMDEXE' >> SourceFile='C:\WINDOWS\System32\cmd.exe' /> >>>>>>>> I don't think that's legal. cmd.exe is not a >> redistributable file. You >>>>>>>> can't include it in your installer. >>>>>> cmd.exe is not being distributed. Binary is how you call >> system files. >>>>>> >>>>> NO. Binary is how you embed files in your MSI for your MSI to use >> during >>>>> install. You ARE distributing cmd.exe in your MSI which is very >> likely >>>>> not allowed. >>>> Thanks. I will check this and if it is in the installer package >> I'll change >>>> it to something like this: >>>> >>>> <*Property* Id='CMDEXE'>cmd.exe</*Property*> >>>> <*CustomAction* Id='LaunchFile' Property='CMDEXE' >>>> ExeCommand='all my arguments' Return='asyncNoWait' >> /> >>> Hmm... nasty attack vector there... >>> - My PATH: c:\bin;... >>> - create c:\bin\cmd.exe, do whatever I want >> What? You always shoot your own system? :-) >> >> Any virus that did that would be caught by the anti-virus. > No, the point is you've now created a vector that a malicious program could > infect a system. > > Let's assume a naive person was convinced to download a nasty cmd.exe that > was inserted into the system where it is found before the real one. > And the user is not an admin. > And the installer is run by right-click/runasAdmin. > Now the nasty program has full admin rights. Well, ok. Not likely, but possible I suppose if they hadn't updated their anti-virus for a while.
Already agreed that ComSpec was the way to prevent this type of thing. > > Dave > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk > _______________________________________________ > WiX-users mailing list > WiX-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/wix-users > ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ WiX-users mailing list WiX-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/wix-users
