When elevated place clean room in system Temp folder

To prevent DLL hijacking the clean room process when launched elevated, the system Temp folder will be used instead of the user's temp folder. This ensures the user cannot slip malicious DLLs into the clean room. Fixes wixtoolset/issues#5724
wixtoolset · Nov 18, 2017 · 19b5f04 · 19b5f04
1 parent 31c5830
commit 19b5f04
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 1 deletion.
diff --git a/history/5724.md b/history/5724.md
@@ -0,0 +1 @@
+* RobMen - WIXBUG:5724 - fix DLL hijack of clean room when bundle launched elevated.
diff --git a/src/burn/engine/cache.cpp b/src/burn/engine/cache.cpp
@@ -1104,13 +1104,29 @@ static HRESULT CalculateWorkingFolder(
 {
     HRESULT hr = S_OK;
     RPC_STATUS rs = RPC_S_OK;
+    BOOL fElevated = FALSE;
     WCHAR wzTempPath[MAX_PATH] = { };
     UUID guid = {};
     WCHAR wzGuid[39];
 
     if (!vsczWorkingFolder)
     {
-        if (0 == ::GetTempPathW(countof(wzTempPath), wzTempPath))
+        ProcElevated(::GetCurrentProcess(), &fElevated);
+
+        if (fElevated)
+        {
+            if (!::GetWindowsDirectoryW(wzTempPath, countof(wzTempPath)))
+            {
+                ExitWithLastError(hr, "Failed to get windows path for working folder.");
+            }
+
+            hr = PathFixedBackslashTerminate(wzTempPath, countof(wzTempPath));
+            ExitOnFailure(hr, "Failed to ensure windows path for working folder ended in backslash.");
+
+            hr = ::StringCchCatW(wzTempPath, countof(wzTempPath), L"Temp\\");
+            ExitOnFailure(hr, "Failed to concat Temp directory on windows path for working folder.");
+        }
+        else if (0 == ::GetTempPathW(countof(wzTempPath), wzTempPath))
         {
             ExitWithLastError(hr, "Failed to get temp path for working folder.");
         }
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		* RobMen - WIXBUG:5724 - fix DLL hijack of clean room when bundle launched elevated.