Possible bug in 3.9 Burn SecureString handling

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Possible bug in 3.9 Burn SecureString handling

Jansson
This post has NOT been accepted by the mailing list yet.
This post was updated on .
Hi,
I have been trying to use the new SecureString functionality in the engine and unless my implementation is faulty, it must be a bug.

Scenario 1:
No variable defined in the xml.
New up, then use SecureString.Copy() to copy a SecureString variable from my Bootstrapper Application to _engine.SecureStringVariables[name]
Everything works just fine, except that the variable is not hidden, and its value is displayed in the Burn log.

Scenario 2a - A hidden variable is defined in the xml:
<Variable Name="SOMEPASS" Type="string" Hidden="yes" Value="xx"/>
or Value="", it does not matter.
The value is cleared in the custom BA. Then,
_engine.SecureStringVariables[name]
gets its value from SecureString Copy() as above.
Note: in this scenario, the length of the string is longer than that defined in the xml.
By debugging, one can verify that the _engine variable has received the value.
Then, finish the UI and hit install. Accept the UAC.
The setup fails. In the Burn log:

[2664:2D08][2014-11-12T09:28:09]e000: Error 0x80070057: Failed to set the variant's encryption state
[2664:2D08][2014-11-12T09:28:09]e000: Error 0x80070057: Failed to set value of variable: SOMEPASS
[2664:2D08][2014-11-12T09:28:09]e000: Error 0x80070057: Failed to set variable.
[2664:2D08][2014-11-12T09:28:09]e000: Error 0x80070057: Failed to read variables.
[185C:2F5C][2014-11-12T09:28:09]e000: Error 0x80070057: Another per-machine setup is already executing.


Scenario 2b - A hidden variable is defined in the xml:
<Variable Name="SOMEPASS" Type="string" Hidden="yes" Value="123456789abc"/>
The value is cleared in the custom BA. Then,
_engine.SecureStringVariables[name]
gets its value from SecureString Copy() as above.
Note: in this scenario, the length of the string is of the same length or shorter than that defined in the xml.
Then, finish the UI and hit install. Accept the UAC.
The setup finishes successfully and has successfully sent the variable to the MSIs.
In the Burn log, the final value of the SecureString variable is hidden in the Property summary.

As mentioned above, it can be verified that the SecureStringVariable in the engine object has a proper value. The error comes later, somewhere in the c++ code (the error seems to come from variant.cpp)

Questions:
        1. Should I post a bug about the 2a scenario (that the engine crashes)?
        2. Should I post a bug or feature request about scenario 1 (a bug that SecureString variables are hidden=false if created from the BA (as opposed to the Burn xml: a feature request that you may want to be able to set the attribute hidden when creating the variable from the custom BA) is displayed in the log (is not created))?


As a side note, it seems that the 2a error occurs only if the memory initially assigned is smaller than the memory required. For example, an initial value with a length of 11 is ok when a string of 12 is assigned to it because a length of 11 assigns 16 characters, while an initial value of 7 will make a string of 12 fail since only 8 characters are assigned in the initial state.

Edit:
The word "longer" was wrong and has been replaced by "shorter" in the 2b scenario.
>Note: in this scenario, the length of the string is of the same length or shorter than that defined in the xml.


Thanks,
Mattias
Reply | Threaded
Open this post in threaded view
|

Re: Possible bug in 3.9 Burn SecureString handling

SeanHall
Thanks for the post, but the mailing list is actually hosted on SourceForge.  Please subscribe to the mailing list at https://lists.sourceforge.net/lists/listinfo/wix-devs/ before posting again so we get it.  Someone else has submitted the bug at http://wixtoolset.org/issues/4609.  Also, this kind of email belongs on the wix-users mailing list.

For scenario 1, using the SecureStringVariables property in the engine doesn't mean that the variable will be hidden.  You must declare all of your hidden variables when building the bundle.  If you want this functionality (BA can create new hidden variables at runtime), please submit a feature request at http://wixtoolset.org/issues.