Skip to content

Commit b97ccff

Browse files
PrcuvuPrcuvu
committed
fix(ipc): add version check for security descriptor initialization
Add an OS version check to prevent failure on older Windows versions, since ALL APPLICATION PACKAGES principal is first implemented in Windows 8, and integrity mechanism is first implemented in Windows Vista. Fixes #157
1 parent 28cdd09 commit b97ccff

File tree

2 files changed

+71
-7
lines changed

2 files changed

+71
-7
lines changed

WeaselIPCServer/SecurityAttribute.cpp

Lines changed: 70 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,18 +1,82 @@
11
#include "stdafx.h"
22
#include "SecurityAttribute.h"
33
#include <Sddl.h>
4+
#include <VersionHelpers.hpp>
5+
6+
#ifndef SDDL_ALL_APP_PACKAGES
7+
#define SDDL_ALL_APP_PACKAGES TEXT("AC")
8+
#endif
9+
10+
#define LOW_INTEGRITY_SDDL_SACL SDDL_SACL \
11+
SDDL_DELIMINATOR \
12+
SDDL_ACE_BEGIN \
13+
SDDL_MANDATORY_LABEL \
14+
SDDL_SEPERATOR \
15+
SDDL_SEPERATOR \
16+
SDDL_NO_WRITE_UP \
17+
SDDL_SEPERATOR \
18+
SDDL_SEPERATOR \
19+
SDDL_SEPERATOR \
20+
SDDL_ML_LOW \
21+
SDDL_ACE_END
22+
23+
#define LOCAL_SYSTEM_FILE_ACCESS SDDL_ACE_BEGIN \
24+
SDDL_ACCESS_ALLOWED \
25+
SDDL_SEPERATOR \
26+
SDDL_SEPERATOR \
27+
SDDL_FILE_ALL \
28+
SDDL_SEPERATOR \
29+
SDDL_SEPERATOR \
30+
SDDL_SEPERATOR \
31+
SDDL_LOCAL_SYSTEM \
32+
SDDL_ACE_END
33+
34+
#define EVERYONE_FILE_ACCESS SDDL_ACE_BEGIN \
35+
SDDL_ACCESS_ALLOWED \
36+
SDDL_SEPERATOR \
37+
SDDL_SEPERATOR \
38+
SDDL_FILE_ALL \
39+
SDDL_SEPERATOR \
40+
SDDL_SEPERATOR \
41+
SDDL_SEPERATOR \
42+
SDDL_EVERYONE \
43+
SDDL_ACE_END
44+
45+
#define ALL_APP_PACKAGES_FILE_ACCESS SDDL_ACE_BEGIN \
46+
SDDL_ACCESS_ALLOWED \
47+
SDDL_SEPERATOR \
48+
SDDL_SEPERATOR \
49+
SDDL_FILE_ALL \
50+
SDDL_SEPERATOR \
51+
SDDL_SEPERATOR \
52+
SDDL_SEPERATOR \
53+
SDDL_ALL_APP_PACKAGES \
54+
SDDL_ACE_END
455

556
namespace weasel {
657

758
void SecurityAttribute::_Init()
859
{
9-
// Privilages for UWP and IE protected mode
60+
// Privileges for UWP and IE protected mode
1061
// https://stackoverflow.com/questions/39138674/accessing-named-pipe-servers-from-within-ie-epm-bho
11-
ConvertStringSecurityDescriptorToSecurityDescriptorW(
12-
L"S:(ML;;NW;;;LW)D:(A;;FA;;;SY)(A;;FA;;;WD)(A;;FA;;;AC)",
13-
SDDL_REVISION_1,
14-
&pd,
15-
NULL);
62+
if (IsWindowsVistaOrGreater())
63+
{
64+
ConvertStringSecurityDescriptorToSecurityDescriptor(
65+
IsWindows8OrGreater() ? LOW_INTEGRITY_SDDL_SACL
66+
SDDL_DACL
67+
SDDL_DELIMINATOR
68+
LOCAL_SYSTEM_FILE_ACCESS
69+
EVERYONE_FILE_ACCESS
70+
ALL_APP_PACKAGES_FILE_ACCESS
71+
: LOW_INTEGRITY_SDDL_SACL
72+
SDDL_DACL
73+
SDDL_DELIMINATOR
74+
LOCAL_SYSTEM_FILE_ACCESS
75+
EVERYONE_FILE_ACCESS,
76+
SDDL_REVISION_1,
77+
&pd,
78+
NULL);
79+
}
1680

1781
sa.nLength = sizeof(SECURITY_ATTRIBUTES);
1882
sa.lpSecurityDescriptor = pd;

WeaselIPCServer/SecurityAttribute.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@ namespace weasel {
99
SECURITY_ATTRIBUTES sa;
1010
void _Init();
1111
public:
12-
SecurityAttribute() { _Init(); }
12+
SecurityAttribute() : pd(NULL) { _Init(); }
1313
SECURITY_ATTRIBUTES *get_attr();
1414
};
1515
};

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy