tyler.durden/notepad-plus-plus
1
0
Fork 0
mirror of https://github.com/notepad-plus-plus/notepad-plus-plus.git synced 2025-04-08 17:15:37 +02:00
Code Issues Packages Projects Releases Wiki Activity

Fix security flaw issue

Browse Source 
There's a security flaw for the un-installation of Notepad++ in Windows Register, the string without quotes:
C:\Program Files\Notepad++\uninstall.exe, whereas it should be "C:\Program Files\Notepad++\uninstall.exe".
The reason is, hacker can create a file called c:\program.exe, then Windows could interpret Files\Notepad++\uninstall.exe as the argument, so the system could run c:\program.exe. Ref:
https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464

Fixed by @ozone10:

Fix #10191, fix #6165, close #10369
This commit is contained in:
Don Ho 2021-08-10 19:04:20 +02:00
parent 2b0620b078
commit 686bf4fba1
3 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
PowerEditor/Test/FunctionList/nsis/unitTest
View File

@ -30,7 +30,7 @@
!define VERSION_MAJOR 6
!define VERSION_MINOR 9
!define APPWEBSITE "http://notepad-plus-plus.org/"
!define APPWEBSITE "https://notepad-plus-plus.org/"
!define UNINSTALL_REG_KEY "Software\Microsoft\Windows\CurrentVersion\Uninstall\${APPNAME}"
!define MEMENTO_REGISTRY_ROOT HKLM
@ -344,15 +344,15 @@ Function .onInit
${GetWindowsVersion} $WinVer
StrCmp $WinVer "95" 0 +3
MessageBox MB_OK "This version of Notepad++ does not support your OS.$\nPlease download zipped package of version 5.9 and use ANSI version. You can find v5.9 here:$\nhttp://notepad-plus-plus.org/release/5.9"
MessageBox MB_OK "This version of Notepad++ does not support your OS.$\nPlease download zipped package of version 5.9 and use ANSI version. You can find v5.9 here:$\nhttps://notepad-plus-plus.org/release/5.9"
Abort
StrCmp $WinVer "98" 0 +3
MessageBox MB_OK "This version of Notepad++ does not support your OS.$\nPlease download zipped package of version 5.9 and use ANSI version. You can find v5.9 here:$\nhttp://notepad-plus-plus.org/release/5.9"
MessageBox MB_OK "This version of Notepad++ does not support your OS.$\nPlease download zipped package of version 5.9 and use ANSI version. You can find v5.9 here:$\nhttps://notepad-plus-plus.org/release/5.9"
Abort
StrCmp $WinVer "ME" 0 +3
MessageBox MB_OK "This version of Notepad++ does not support your OS.$\nPlease download zipped package of version 5.9 and use ANSI version. You can find v5.9 here:$\nhttp://notepad-plus-plus.org/release/5.9"
MessageBox MB_OK "This version of Notepad++ does not support your OS.$\nPlease download zipped package of version 5.9 and use ANSI version. You can find v5.9 here:$\nhttps://notepad-plus-plus.org/release/5.9"
Abort
!insertmacro MUI_LANGDLL_DISPLAY

2
PowerEditor/installer/nsisInclude/globalDef.nsh
View File

@ -58,7 +58,7 @@
!define ProdVer "${VERSION_MAJOR}.${VERSION_MINOR}"
!define LegalCopyright "Copyleft 1998-2017 by Don HO"
!define APPWEBSITE "http://notepad-plus-plus.org/"
!define APPWEBSITE "https://notepad-plus-plus.org/"
!define UNINSTALL_REG_KEY "Software\Microsoft\Windows\CurrentVersion\Uninstall\${APPNAME}"
!define MEMENTO_REGISTRY_ROOT HKLM

2
PowerEditor/installer/nsisInclude/tools.nsh
View File

@ -171,7 +171,7 @@ Function writeInstallInfoInRegistry
WriteRegStr HKLM "${UNINSTALL_REG_KEY}" "Publisher" "Notepad++ Team"
WriteRegStr HKLM "${UNINSTALL_REG_KEY}" "MajorVersion" "${VERSION_MAJOR}"
WriteRegStr HKLM "${UNINSTALL_REG_KEY}" "MinorVersion" "${VERSION_MINOR}"
WriteRegStr HKLM "${UNINSTALL_REG_KEY}" "UninstallString" "$INSTDIR\uninstall.exe"
WriteRegStr HKLM "${UNINSTALL_REG_KEY}" "UninstallString" '"$INSTDIR\uninstall.exe"'
WriteRegStr HKLM "${UNINSTALL_REG_KEY}" "DisplayIcon" "$INSTDIR\notepad++.exe"
WriteRegStr HKLM "${UNINSTALL_REG_KEY}" "DisplayVersion" "${APPVERSION}"
WriteRegStr HKLM "${UNINSTALL_REG_KEY}" "URLInfoAbout" "${APPWEBSITE}"