From 0ae8bf8dbc3d5db9a604c7be66aa22893e109fa0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Thu, 11 May 2023 15:57:02 +0200 Subject: [PATCH] msi: do not create AppData\Roaming\npm This effectively reverts e431cae7e70069cd1631081f9dca09990b948feb due to security concerns. The directory is being created with elevated privileges but its path may depend on an unprivileged user's environment variables. Creating a directory in certain sensitive locations can cause Windows to become inoperable. Creating AppData\Roaming\npm was an intentional addition in order to resolve https://github.com/nodejs/node-v0.x-archive/issues/8141, which appears to have been a common issue for users of npm. However, this was implemented before 4cfe5eb9af9d0a46ab6bfe3a4a49c4b1e43513b0, which changed the MSI installation scope to perMachine. There were concerns about creating the npm directory in that PR, albeit not related to security (see https://github.com/nodejs/node-v0.x-archive/pull/25640). Refs: https://github.com/nodejs/node-v0.x-archive/issues/8141 Refs: https://github.com/nodejs/node-v0.x-archive/pull/8838 Refs: https://github.com/nodejs/node-v0.x-archive/pull/25640 PR-URL: https://github.com/nodejs-private/node-private/pull/408 Reviewed-By: Rafael Gonzaga CVE-ID: CVE-2023-30585 --- tools/msvs/msi/nodemsi/product.wxs | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tools/msvs/msi/nodemsi/product.wxs b/tools/msvs/msi/nodemsi/product.wxs index de4a6a34cee118..991b8176554f0a 100644 --- a/tools/msvs/msi/nodemsi/product.wxs +++ b/tools/msvs/msi/nodemsi/product.wxs @@ -69,7 +69,6 @@ - @@ -92,7 +91,6 @@ - @@ -243,16 +241,6 @@ - - - - - - - - - -