mirrors/rufus
1
0
Fork 0
mirror of https://github.com/pbatard/rufus.git synced 2025-05-24 19:54:25 -04:00
Code Issues Projects Releases Packages Wiki Activity

[fido] add additional Authenticode validation before running the script

Browse source 
* This basically means that the script is validate *TWICE*, using two
  completely independent signatures, before it is allowed to run, which
  should add another mitigation layer against TOCTOU (which we already
  friggin' mitigated against anyway) and other potential vectors of
  attack.
* Also remove -DisableFirstRunCustomize option and the associated cookie
  prompt monitoring, which the latest version of Fido no longer requires.
* Also update WDK version for signtool and flesh out PKI error messages.
This commit is contained in:
Pete Batard 2021-05-27 00:18:05 +01:00
parent 3083324a0e
commit f26fd2fbe3
No known key found for this signature in database
GPG key ID: 38E0CF5E69EDD671
8 changed files with 63 additions and 49 deletions
Download patch file Download diff file Expand all files Collapse all files

2
src/rufus.c
View file

@ -3335,7 +3335,7 @@ skip_args_processing:
static_sprintf(ini_path, "%s\\rufus.ini", app_dir);
fd = fopenU(ini_path, ini_flags); // Will create the file if portable mode is requested
// Using the string directly in safe_strcmp() would call GetSignatureName() twice
tmp = GetSignatureName(NULL, NULL);
tmp = GetSignatureName(NULL, NULL, FALSE);
vc |= (safe_strcmp(tmp, cert_name[0]) == 0);
if (fd != NULL) {
ini_file = ini_path;