daohualiuxiang
/
node
mirror of https://github.com/nodejs/node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

msi: do not create AppData\Roaming\npm 

This effectively reverts e431cae7e7 due to
security concerns. The directory is being created with elevated
privileges but its path may depend on an unprivileged user's environment
variables. Creating a directory in certain sensitive locations can cause
Windows to become inoperable.

Creating AppData\Roaming\npm was an intentional addition in order to
resolve https://github.com/nodejs/node-v0.x-archive/issues/8141, which
appears to have been a common issue for users of npm. However, this was
implemented before 4cfe5eb9af, which
changed the MSI installation scope to perMachine. There were concerns
about creating the npm directory in that PR, albeit not related to
security (see https://github.com/nodejs/node-v0.x-archive/pull/25640).

Refs: https://github.com/nodejs/node-v0.x-archive/issues/8141
Refs: https://github.com/nodejs/node-v0.x-archive/pull/8838
Refs: https://github.com/nodejs/node-v0.x-archive/pull/25640
PR-URL: https://github.com/nodejs-private/node-private/pull/408
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
CVE-ID: CVE-2023-30585
pull/48505/head
Tobias Nießen 2023-05-11 15:57:02 +02:00 committed by RafaelGSS
parent 56b1a0fca4
commit 0ae8bf8dbc
1 changed files with 0 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
tools/msvs/msi/nodemsi/product.wxs
View File

@ -69,7 +69,6 @@
<ComponentRef Id="NodeRegistryEntries"/>
<ComponentRef Id="NodeVarsScript"/>
<ComponentRef Id="NodeStartMenu"/>
<ComponentRef Id="AppData" />
<ComponentRef Id="InstallToolsBat" />
<ComponentRef Id="SetInstallDirPermission" />
</Feature>
@ -92,7 +91,6 @@
<ComponentRef Id="NpxCmdScript"/>
<ComponentRef Id="NpxBashScript"/>
<ComponentRef Id="NpmConfigurationFile"/>
<ComponentRef Id="AppData" />
<ComponentRef Id="SetInstallDirPermission" />
<ComponentGroupRef Id="NpmSourceFiles"/>
</Feature>
@ -243,16 +241,6 @@
</Directory>
</DirectoryRef>
<StandardDirectory Id="AppDataFolder">
<Directory Id="AppDataDir" Name="npm">
<Component Id="AppData" Guid="D3B35D0E-D0F9-4D11-A773-D4608E90E1D1">
<CreateFolder />
<RemoveFolder Id="AppDataDir" On="uninstall" />
<RegistryValue Root="HKCU" Key="$(var.RegistryKeyPath)\Components" Type="string" Value="" />
</Component>
</Directory>
</StandardDirectory>
<DirectoryRef Id="ApplicationProgramsFolder">
<Component Id="DocumentationShortcuts">
<RegistryValue Root="HKCU"