RE: Possible severe bug - Windows installer

["Rob Nicholls" <robert () robnicholls co uk>]

Hi Camilla,

 

Your screenshot shows Nmap added to the current user’s “path” environment variable. I’ve made some assumptions and my 
best guess is that you previously had a lot of other things in your PATH variable?

 

According to a warning on the NSIS page, which was only added a couple of years ago, “NSIS default build has a string 
limit of 1024 characters. If the PATH is bigger, this function will replace the whole PATH instead of just appending to 
it”. Is that the issue you’ve experienced? Has everything in your current user’s PATH been replaced by the Nmap path? 
If so, that means your PATH originally had around 1000+ characters, which is very unusual as most people tend to only 
have a few entries; however, this is something we really should try to avoid (it is more of an issue if it replaces the 
HKLM key, but I agree it’d be annoying when it affects HKCU).

 

The way we add Nmap to the path uses some very old code based on http://nsis.sourceforge.net/Path_Manipulation which 
still contains references to Windows 9x so it is something we probably can clean up a lot (especially as we don’t 
support Windows 9x anymore) and make more robust, particularly if you have been affected by the 1024 character limit as 
it could affect others too.

 

There’s a much better and quite recent example here that checks the length of the path and only appends Nmap if it 
looks safe. It appears to call the Windows API directly, and checks the length of the string against the NSIS string 
limitation: https://www.smartmontools.org/browser/trunk/smartmontools/os_win32/installer.nsi?rev=4110#L636

 

We would need to use a “large strings build” of the NSIS installer to help raise this to a much higher value (such as 
2048 characters) to avoid being hit by the 1024 character limit, but with the new code we could at least prevent 
replacing an entry unless it’s safe. If we make the Windows API call and use a large strings build version we should be 
able to avoid the 2048 character limit that we’d hit editing the registry directly, but no matter what we do we would 
still be limited to the 32K character limitation in Windows. Hopefully 32K is good enough for most people! :)

 

David and/or Daniel, it looks like we should use a newer version of NSIS than 2.47 to help address some further DLL 
hijacking issues and possibly avoid a shortcut issue on Vista: http://nsis.sourceforge.net/Docs/AppendixF.html#v2.51-cl 
– would it also be possible to use the “large strings build” from http://nsis.sourceforge.net/Special_Builds so we can 
support up to 2048 character strings until the Nmap.nsis code can be updated to use the Windows API instead of the 
registry key? It’s been almost 8 years since I wrote Windows API calls in NSIS for our WinPcap installer, but I might 
give it another go this weekend for Nmap and aim for support for up to 8192 characters (or return an error) depending 
on which build NSIS installer is used.

 

Regards,

 

Rob

 

From: dev [mailto:dev-bounces () nmap org] On Behalf Of missingRemote () mail com
Sent: 02 June 2016 11:32
To: dev () nmap org
Subject: Possible severe bug - Windows installer

 

Hi,

 

 

After installing Nmap 7.12, this is what my environment variables look like: https://snag.gy/hNnWRJ.jpg

 

Would think that is something you would like to know about, since that's pretty annoying for a user to experience.

 

I'm on Windows 10.

 

Regards,

Camilla Rygh

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/