Mass excitement this week: Plenty to triage and even more to talk about with WiX's first security update. With a little luck, we have some nice boring weeks ahead of us.
WiX v3.10.2 update
With January's Patch Tuesday behind us, our agreement with MSRC to not disclose a Windows vulnerability has lapsed. The Windows vulnerability can be manifested with a Burn bundle—as well as with almost every other installation engine and self-extractor available—in a way that is potentially serious. Because Burn gets elevation right—by elevating only when necessary, not up-front and always—it's harder for malware to get elevated privileges but of course, even being able to execute code as the user could be significant. Therefore, FireGiant committed the time to make a series of mitigations in Burn against this Windows vulnerability and release it as WiX v3.10.2 as soon as possible.
For information on the approach we took, see issue 5184, WIP 5184 and check out the live code review from this week's meeting for the corresponding pull request.
WiX v3.10.2.2516 is a release candidate for WiX v3.10.2 and contains this fix.
Issue triage
Adding MIME type directly under WebSite element not working #5177 says that
MimeMapunderWebSitedoesn't work butMimeMapunderWebVirtualDirdoes. We asked for a log—it's what we do—and took this in WiX v3.x.wrong VCRedist version evaluated in condition #5178 turned out to be user error. Unfortunately, the reporter didn't go into details, so it wasn't very entertaining for us.
wix 4.x for VS2012 in win10 compile error #5179 was a vague report about WiX v4.0. We asked for more details; if we get them, we'll evaluate what the problem might be.
Error during installation #5180 reported an error installing WiX v3.10 on Windows 7 Enterprise. We've had vague reports of problems with Windows 7 Enterprise before but have never narrowed them down to OS configuration, antivirus, or other, so we asked for logs in the hopes we'll decipher a root cause.
Cannot successfully escape InstallCommand variables with space in them #5181 reported a problem using paths with spaces but it turned out to be a problem quoting paths.
Loose file support in Burn? #5182 harkened back to a thread on wix-users in 2012 about Burn supporting loose files in a bundle. It does but doesn't support those files changing after the bundle is built—the file hashes change and fail validation during installation.
Unicode hyphen is not accepted as the start of an option on Wix 3.10 heat.exe #5183 requests that "the" Unicode hyphen be supported as a command-line switch marker. It turns out there are at least seven Unicode characters that qualify: hyphen, non-breaking hyphen, figure dash, en dash, em dash, horizontal bar, minus sign. I'm not sure we want to add all of those, but we said we'd take a look if someone wanted to do the work.
Prevent DLL Hijacking Burn #5184 is the tracking issue for WIP 5184 and pull request 322.
IBootstrapperEngine::SetDownloadSource requires non-const strings #5185 is an issue I opened when I discovered that the
IBootstrapperEngine::SetDownloadSourcebootstrapper application interface method takesLPWSTRarguments when it should be takingLPCWSTRarguments because the function never modifies the strings. We decided it was safe to take this change in WiX v3.x because someone already supplying a non-const string wouldn't be broken by the parameter type changing to const.