Changeset 104162 in vbox for trunk/src/VBox/Installer

Timestamp:

Apr 4, 2024 5:05:37 PM (11 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

162588

Message:

Windows/Host Installer: Check permissions of target directory when installing. Added a new testcase for this. bugref:10616

Location:

trunk/src/VBox/Installer/win

Files:

• InstallHelper/VBoxCommon.cpp (modified) (2 diffs)
• InstallHelper/VBoxInstallHelper.cpp (modified) (7 diffs)
• InstallHelper/VBoxInstallHelper.def (modified) (2 diffs)
• NLS/de_DE.wxl (modified) (3 diffs)
• NLS/el_GR.wxl (modified) (3 diffs)
• NLS/en_US.wxl (modified) (3 diffs)
• NLS/fa_IR.wxl (modified) (3 diffs)
• NLS/fr_FR.wxl (modified) (3 diffs)
• NLS/it_IT.wxl (modified) (3 diffs)
• NLS/ru_RU.wxl (modified) (3 diffs)
• NLS/tr_TR.wxl (modified) (3 diffs)
• NLS/zh_CN.wxl (modified) (3 diffs)
• NLS/zh_TW.wxl (modified) (3 diffs)
• UserInterface.wxi (modified) (6 diffs)
• VBoxMergeApp.wxi (modified) (1 diff)
• VBoxMergeAppCA.wxi (modified) (1 diff)
• VBoxMergeAppSeq.wxi (modified) (1 diff)
• VirtualBox.wxs (modified) (1 diff)

trunk/src/VBox/Installer/win/InstallHelper/VBoxCommon.cpp

@@ -39 +39 @@
 #include <iprt/utf16.h>
 
+#include "VBoxCommon.h"
 
+
+#ifndef TESTCASE
+/**
+ * Retrieves a MSI property (in UTF-16).
+ *
+ * Convenience function for VBoxGetMsiProp().
+ *
+ * @returns VBox status code.
+ * @param   hMsi                MSI handle to use.
+ * @param   pwszName            Name of property to retrieve.
+ * @param   pwszValueBuf        Where to store the allocated value on success.
+ * @param   cwcValueBuf         Size (in WCHARs) of \a pwszValueBuf.
+ */
 UINT VBoxGetMsiProp(MSIHANDLE hMsi, const WCHAR *pwszName, WCHAR *pwszValueBuf, DWORD cwcValueBuf)
 {
-    RT_BZERO(pwszValueBuf, cwcValueBuf * sizeof(pwszValueBuf[0]));
+    RT_BZERO(pwszValueBuf, cwcValueBuf * sizeof(WCHAR));
+    return MsiGetPropertyW(hMsi, pwszName, pwszValueBuf, &cwcValueBuf);
+}
+#endif
 
-    /** @todo r=bird: why do we need to query the size first and then the data.
-     *        The API should be perfectly capable of doing that without our help. */
-    WCHAR wcDummy   = 0;
-    DWORD cwcNeeded = 0;
-    UINT  uiRet = MsiGetPropertyW(hMsi, pwszName, &wcDummy, &cwcNeeded);
-    if (uiRet == ERROR_MORE_DATA)
-    {
-        ++cwcNeeded;     /* On output does not include terminating null, so add 1. */
-
-        if (cwcNeeded > cwcValueBuf)
-            return ERROR_MORE_DATA;
-        uiRet = MsiGetPropertyW(hMsi, pwszName, pwszValueBuf, &cwcNeeded);
-    }
-    return uiRet;
-}
-
-#if 0 /* unused */
 /**
  * Retrieves a MSI property (in UTF-8).
@@ -89 +89 @@
     return rc;
 }
-#endif
 
+#ifndef TESTCASE
 UINT VBoxSetMsiProp(MSIHANDLE hMsi, const WCHAR *pwszName, const WCHAR *pwszValue)
 {
     return MsiSetPropertyW(hMsi, pwszName, pwszValue);
 }
+#endif
 
 UINT VBoxSetMsiPropDWORD(MSIHANDLE hMsi, const WCHAR *pwszName, DWORD dwVal)

trunk/src/VBox/Installer/win/InstallHelper/VBoxInstallHelper.cpp

@@ -38 +38 @@
 #include <iprt/win/windows.h>
 
+#include <aclapi.h>
 #include <msi.h>
 #include <msiquery.h>
@@ -46 +47 @@
 #include <cfgmgr32.h>
 #include <devguid.h>
+#include <sddl.h> /* For ConvertSidToStringSidW. */
 
 #include <iprt/win/objbase.h>
@@ -55 +57 @@
 #include <iprt/assert.h>
 #include <iprt/alloca.h>
+#include <iprt/dir.h>
+#include <iprt/err.h>
+#include <iprt/file.h>
 #include <iprt/mem.h>
 #include <iprt/path.h>   /* RTPATH_MAX, RTPATH_IS_SLASH */
 #include <iprt/string.h> /* RT_ZERO */
+#include <iprt/stream.h>
+#include <iprt/thread.h>
 #include <iprt/utf16.h>
 
@@ -79 +86 @@
 
 
+/*********************************************************************************************************************************
+*   Internal structures                                                                                                          *
+*********************************************************************************************************************************/
+/**
+ * Structure for keeping a target's directory security context.
+ */
+typedef struct TGTDIRSECCTX
+{
+    /** Initialized status. */
+    bool     fInitialized;
+    /** Handle of the target's parent directory.
+     *
+     * Kept open while the context is around and initialized. */
+    RTDIR    hParentDir;
+    /** Absolute (resolved) path of the target directory. */
+    char     szTargetDirAbs[RTPATH_MAX];
+    /** Access mask which is forbidden for an ACE of type ACCESS_ALLOWED_ACE_TYPE. */
+    uint32_t fAccessMaskForbidden;
+    /** Array of well-known SIDs which are forbidden. */
+    PSID    *paWellKnownSidsForbidden;
+    /** Number of entries in \a paWellKnownSidsForbidden. */
+    size_t   cWellKnownSidsForbidden;
+} TGTDIRSECCTX;
+/** Pointer to a target's directory security context. */
+typedef TGTDIRSECCTX *PTGTDIRSECCTX;
+
+
+/*********************************************************************************************************************************
+*   Prototypes                                                                                                                   *
+*********************************************************************************************************************************/
+static void destroyTargetDirSecurityCtx(PTGTDIRSECCTX pCtx);
+
+
+/*********************************************************************************************************************************
+*   Globals                                                                                                                      *
+*********************************************************************************************************************************/
+static uint32_t     g_cRef = 0;
+/** Our target directory security context.
+ *
+ * Has to be global in order to keep it around as long as the DLL is being loaded. */
+static TGTDIRSECCTX g_TargetDirSecCtx = { 0 };
+
 
 /**
@@ -87 +136 @@
     RT_NOREF(hInst, uReason, pReserved);
 
+#ifdef DEBUG
+    WCHAR wszMsg[128];
+    RTUtf16Printf(wszMsg, RT_ELEMENTS(wszMsg), "DllMain: hInst=%#x, uReason=%u (PID %u), g_cRef=%RU32\n",
+                  hInst, uReason, GetCurrentProcessId(), g_cRef);
+    OutputDebugStringW(wszMsg);
+#endif
+
+    switch (uReason)
+    {
+        case DLL_PROCESS_ATTACH:
+        {
+            g_cRef++;
 #if 0
-    /*
-     * This is a trick for allowing the debugger to be attached, don't know if
-     * there is an official way to do that, but this is a pretty efficient.
-     *
-     * Monitor the debug output in DbgView and be ready to start windbg when
-     * the message below appear.  This will happen 3-4 times during install,
-     * and 2-3 times during uninstall.
-     *
-     * Note! The DIFxApp.DLL will automatically trigger breakpoints when a
-     *       debugger is attached.  Just continue on these.
-     */
-    if (uReason == DLL_PROCESS_ATTACH)
-    {
-        WCHAR wszMsg[128];
-        RTUtf16Printf(wszMsg, RT_ELEMENTS(wszMsg), "Waiting for debugger to attach: windbg -g -G -p %u\n", GetCurrentProcessId());
-        for (unsigned i = 0; i < 128 && !IsDebuggerPresent(); i++)
-        {
-            OutputDebugStringW(wszMsg);
-            Sleep(1001);
-        }
-        Sleep(1002);
-        __debugbreak();
-    }
+            /*
+             * This is a trick for allowing the debugger to be attached, don't know if
+             * there is an official way to do that, but this is a pretty efficient.
+             *
+             * Monitor the debug output in DbgView and be ready to start windbg when
+             * the message below appear.  This will happen 3-4 times during install,
+             * and 2-3 times during uninstall.
+             *
+             * Note! The DIFxApp.DLL will automatically trigger breakpoints when a
+             *       debugger is attached.  Just continue on these.
+             */
+            RTUtf16Printf(wszMsg, RT_ELEMENTS(wszMsg), "Waiting for debugger to attach: windbg -g -G -p %u\n", GetCurrentProcessId());
+            for (unsigned i = 0; i < 128 && !IsDebuggerPresent(); i++)
+            {
+                OutputDebugStringW(wszMsg);
+                Sleep(1001);
+            }
+            Sleep(1002);
+            __debugbreak();
 #endif
+            break;
+        }
+
+        case DLL_PROCESS_DETACH:
+        {
+            g_cRef--;
+            break;
+        }
+
+        default:
+            break;
+    }
 
     return TRUE;
@@ -117 +186 @@
 
 /**
- * Format and add message to the MSI log.
+ * Format a log message and print it to whatever is there (i.e. to the MSI log).
  *
  * UTF-16 strings are formatted using '%ls' (lowercase).
  * ANSI strings are formatted using '%s' (uppercase).
+ *
+ * @returns VBox status code.
+ * @param   hInstall            MSI installer handle. Optional and can be NULL.
+ * @param   pszFmt              Format string.
+ * @param   ...                 Variable arguments for format string.
  */
-static UINT logStringF(MSIHANDLE hInstall, const char *pszFmt, ...)
-{
+static int logStringF(MSIHANDLE hInstall, const char *pszFmt, ...)
+{
+    RTUTF16 wszVa[RTPATH_MAX + 256];
+    va_list va;
+    va_start(va, pszFmt);
+    ssize_t cwc = RTUtf16PrintfV(wszVa, RT_ELEMENTS(wszVa), pszFmt, va);
+    va_end(va);
+
+    RTUTF16 wszMsg[RTPATH_MAX + 256];
+    cwc = RTUtf16Printf(wszMsg, sizeof(wszMsg), "VBoxInstallHelper: %ls", wszVa);
+    if (cwc <= 0)
+        return VERR_BUFFER_OVERFLOW;
+
+#ifdef DEBUG
+    OutputDebugStringW(wszMsg);
+#endif
+#ifdef TESTCASE
+    RTPrintf("%ls\n", wszMsg);
+#endif
     PMSIHANDLE hMSI = MsiCreateRecord(2 /* cParms */);
     if (hMSI)
     {
-        wchar_t wszBuf[RTPATH_MAX + 256];
-        va_list va;
-        va_start(va, pszFmt);
-        ssize_t cwc = RTUtf16PrintfV(wszBuf, RT_ELEMENTS(wszBuf), pszFmt, va);
-        va_end(va);
-
-        MsiRecordSetStringW(hMSI, 0, wszBuf);
+        MsiRecordSetStringW(hMSI, 0, wszMsg);
         MsiProcessMessage(hInstall, INSTALLMESSAGE(INSTALLMESSAGE_INFO), hMSI);
-
         MsiCloseHandle(hMSI);
-        return cwc < RT_ELEMENTS(wszBuf) ? ERROR_SUCCESS : ERROR_BUFFER_OVERFLOW;
-    }
-    return ERROR_ACCESS_DENIED;
+    }
+
+    return cwc < RT_ELEMENTS(wszVa) ? VINF_SUCCESS : VERR_BUFFER_OVERFLOW;
 }
 
@@ -160 +244 @@
 #endif
     return ERROR_SUCCESS;
+}
+
+/**
+ * Initializes a target security context.
+ *
+ * @returns VBox status code.
+ * @param   pCtx                Target directory security context to initialize.
+ * @param   hModule             Windows installer module handle.
+ * @param   pszPath             Target directory path to use.
+ */
+static int initTargetDirSecurityCtx(PTGTDIRSECCTX pCtx, MSIHANDLE hModule, const char *pszPath)
+{
+    if (pCtx->fInitialized)
+        return VINF_SUCCESS;
+
+#ifdef DEBUG
+    logStringF(hModule, "initTargetDirSecurityCtx: pszPath=%s\n", pszPath);
+#endif
+
+    char szPathTemp[RTPATH_MAX];
+    int vrc = RTStrCopy(szPathTemp, sizeof(szPathTemp), pszPath);
+    if (RT_FAILURE(vrc))
+        return vrc;
+
+    /* Try to find a parent path which exists. */
+    char szPathParentAbs[RTPATH_MAX] = { 0 };
+    for (int i = 0; i < 256; i++) /* Failsafe counter. */
+    {
+        RTPathStripTrailingSlash(szPathTemp);
+        RTPathStripFilename(szPathTemp);
+        vrc = RTPathReal(szPathTemp, szPathParentAbs, sizeof(szPathParentAbs));
+        if (RT_SUCCESS(vrc))
+            break;
+    }
+
+    if (RT_FAILURE(vrc))
+    {
+        logStringF(hModule, "initTargetDirSecurityCtx: No existing / valid parent directory found (%Rrc), giving up\n", vrc);
+        return vrc;
+    }
+
+    RTDIR hParentDir;
+    vrc = RTDirOpen(&hParentDir, szPathParentAbs);
+    if (RT_FAILURE(vrc))
+    {
+        logStringF(hModule, "initTargetDirSecurityCtx: Locking parent directory '%s' failed with %Rrc\n", szPathParentAbs, vrc);
+        return vrc;
+    }
+
+#ifdef DEBUG
+    logStringF(hModule, "initTargetDirSecurityCtx: Locked parent directory '%s'\n", szPathParentAbs);
+#endif
+
+    char szPathTargetAbs[RTPATH_MAX];
+    vrc = RTPathReal(pszPath, szPathTargetAbs, sizeof(szPathTargetAbs));
+    if (RT_FAILURE(vrc))
+        vrc = RTStrCopy(szPathTargetAbs, sizeof(szPathTargetAbs), pszPath);
+    if (RT_FAILURE(vrc))
+    {
+        logStringF(hModule, "initTargetDirSecurityCtx: Failed to resolve absolute target path (%Rrc)\n", vrc);
+        return vrc;
+    }
+
+#ifdef DEBUG
+    logStringF(hModule, "initTargetDirSecurityCtx: szPathTargetAbs=%s, szPathParentAbs=%s\n", szPathTargetAbs, szPathParentAbs);
+#endif
+
+    /* Target directory validation. */
+    if (   !RTStrCmp(szPathTargetAbs, szPathParentAbs) /* Don't allow installation into root directories. */
+        ||  RTStrStr(szPathTargetAbs, ".."))
+    {
+        logStringF(hModule, "initTargetDirSecurityCtx: Directory '%s' invalid", szPathTargetAbs);
+        vrc = VERR_INVALID_NAME;
+    }
+
+    if (RT_SUCCESS(vrc))
+    {
+        RTFSOBJINFO fsObjInfo;
+        vrc = RTPathQueryInfo(szPathParentAbs, &fsObjInfo, RTFSOBJATTRADD_NOTHING);
+        if (RT_SUCCESS(vrc))
+        {
+            if (RTFS_IS_DIRECTORY(fsObjInfo.Attr.fMode)) /* No symlinks or other fun stuff. */
+            {
+                static WELL_KNOWN_SID_TYPE aForbiddenWellKnownSids[] =
+                {
+                    WinNullSid,
+                    WinWorldSid,
+                    WinAuthenticatedUserSid,
+                    WinBuiltinUsersSid,
+                    WinBuiltinGuestsSid,
+                    WinBuiltinPowerUsersSid
+                };
+
+                pCtx->paWellKnownSidsForbidden = (PSID *)RTMemAlloc(sizeof(PSID) * RT_ELEMENTS(aForbiddenWellKnownSids));
+                AssertPtrReturn(pCtx->paWellKnownSidsForbidden, VERR_NO_MEMORY);
+
+                size_t i = 0;
+                for(; i < RT_ELEMENTS(aForbiddenWellKnownSids); i++)
+                {
+                    pCtx->paWellKnownSidsForbidden[i] = RTMemAlloc(SECURITY_MAX_SID_SIZE);
+                    AssertPtrBreakStmt(pCtx->paWellKnownSidsForbidden, vrc = VERR_NO_MEMORY);
+                    DWORD cbSid = SECURITY_MAX_SID_SIZE;
+                    if (!CreateWellKnownSid(aForbiddenWellKnownSids[i], NULL, pCtx->paWellKnownSidsForbidden[i], &cbSid))
+                    {
+                        vrc = RTErrConvertFromWin32(GetLastError());
+                        logStringF(hModule, "initTargetDirSecurityCtx: Creating SID (index %zu) failed with %Rrc\n", i, vrc);
+                        break;
+                    }
+                }
+
+                if (RT_SUCCESS(vrc))
+                {
+                    vrc = RTStrCopy(pCtx->szTargetDirAbs, sizeof(pCtx->szTargetDirAbs), szPathTargetAbs);
+                    if (RT_SUCCESS(vrc))
+                    {
+                        pCtx->fInitialized            = true;
+                        pCtx->hParentDir              = hParentDir;
+                        pCtx->cWellKnownSidsForbidden = i;
+                        pCtx->fAccessMaskForbidden    = FILE_WRITE_DATA
+                                                      | FILE_APPEND_DATA
+                                                      | FILE_WRITE_ATTRIBUTES
+                                                      | FILE_WRITE_EA;
+
+                        RTFILE fh;
+                        RTFileOpen(&fh, "c:\\temp\\targetdir.ctx", RTFILE_O_CREATE_REPLACE | RTFILE_O_DENY_WRITE | RTFILE_O_WRITE);
+                        RTFileClose(fh);
+
+                        return VINF_SUCCESS;
+                    }
+                }
+            }
+            else
+                vrc = VERR_INVALID_NAME;
+        }
+    }
+
+    RTDirClose(hParentDir);
+
+    while (pCtx->cWellKnownSidsForbidden--)
+    {
+        RTMemFree(pCtx->paWellKnownSidsForbidden[pCtx->cWellKnownSidsForbidden]);
+        pCtx->paWellKnownSidsForbidden[pCtx->cWellKnownSidsForbidden] = NULL;
+    }
+
+    logStringF(hModule, "initTargetDirSecurityCtx: Initialization failed failed with %Rrc\n", vrc);
+    return vrc;
+}
+
+/**
+ * Destroys a target security context.
+ *
+ * @returns VBox status code.
+ * @param   pCtx                Target directory security context to destroy.
+ */
+static void destroyTargetDirSecurityCtx(PTGTDIRSECCTX pCtx)
+{
+    if (   !pCtx
+        || !pCtx->fInitialized)
+        return;
+
+    if (pCtx->hParentDir != NIL_RTDIR)
+    {
+        RTDirClose(pCtx->hParentDir);
+        pCtx->hParentDir = NIL_RTDIR;
+    }
+    RT_ZERO(pCtx->szTargetDirAbs);
+
+    for (size_t i = 0; i < pCtx->cWellKnownSidsForbidden; i++)
+        RTMemFree(pCtx->paWellKnownSidsForbidden[i]);
+    pCtx->cWellKnownSidsForbidden = 0;
+
+    RTMemFree(pCtx->paWellKnownSidsForbidden);
+    pCtx->paWellKnownSidsForbidden = NULL;
+
+    RTFileDelete("c:\\temp\\targetdir.ctx");
+
+    logStringF(NULL, "destroyTargetDirSecurityCtx\n");
+}
+
+#ifdef DEBUG
+/**
+ * Returns a stingified version of an ACE type.
+ *
+ * @returns Stingified version of an ACE type.
+ * @param   uType               ACE type.
+ */
+inline const char *dbgAceTypeToString(uint8_t uType)
+{
+    switch (uType)
+    {
+        RT_CASE_RET_STR(ACCESS_ALLOWED_ACE_TYPE);
+        RT_CASE_RET_STR(ACCESS_DENIED_ACE_TYPE);
+        RT_CASE_RET_STR(SYSTEM_AUDIT_ACE_TYPE);
+        RT_CASE_RET_STR(SYSTEM_ALARM_ACE_TYPE);
+        default: break;
+    }
+
+    return "<Invalid>";
+}
+
+/**
+ * Returns an allocated string for a SID containing the user/domain name.
+ *
+ * @returns Allocated string (UTF-8). Must be free'd using RTStrFree().
+ * @param   pSid                SID to return allocated string for.
+ */
+inline char *dbgSidToNameA(const PSID pSid)
+{
+    char *pszName = NULL;
+    int   vrc     = VINF_SUCCESS;
+
+    LPWSTR pwszSid = NULL;
+    if (ConvertSidToStringSid(pSid, &pwszSid))
+    {
+        SID_NAME_USE SidNameUse;
+
+        WCHAR wszUser[MAX_PATH];
+        DWORD cbUser   = sizeof(wszUser);
+        WCHAR wszDomain[MAX_PATH];
+        DWORD cbDomain = sizeof(wszDomain);
+        if (LookupAccountSid(NULL, pSid, wszUser, &cbUser, wszDomain, &cbDomain, &SidNameUse))
+        {
+            RTUTF16 wszName[RTPATH_MAX];
+            if (RTUtf16Printf(wszName, RT_ELEMENTS(wszName), "%ls%s%ls (%ls)",
+                              wszUser, wszDomain[0] == L'\0' ? "" : "\\", wszDomain, pwszSid))
+            {
+                vrc = RTUtf16ToUtf8(wszName, &pszName);
+            }
+            else
+                vrc = VERR_NO_MEMORY;
+        }
+        else
+            vrc = RTStrAPrintf(&pszName, "<Lookup Error>");
+
+        LocalFree(pwszSid);
+    }
+    else
+        vrc = VERR_NOT_FOUND;
+
+    return RT_SUCCESS(vrc) ? pszName : "<Invalid>";
+}
+#endif /* DEBUG */
+
+/**
+ * Checks a single target path whether it's safe to use or not.
+ *
+ * We check if the given path is owned by "NT Service\TrustedInstaller" and therefore assume that it's safe to use.
+ *
+ * @returns VBox status code. On error the path should be considered unsafe.
+ * @retval  VERR_INVALID_NAME if the given path is considered unsafe.
+ * @retval  VINF_SUCCESS if the given path is found to be safe to use.
+ * @param   hModule             Windows installer module handle.
+ * @param   pszPath             Path to check.
+ */
+static int checkTargetDirOne(MSIHANDLE hModule, PTGTDIRSECCTX pCtx, const char *pszPath)
+{
+    logStringF(hModule, "checkTargetDirOne: Checking '%s' ...", pszPath);
+
+    PRTUTF16 pwszPath;
+    int vrc = RTStrToUtf16(pszPath, &pwszPath);
+    if (RT_FAILURE(vrc))
+        return vrc;
+
+    PACL      pDacl = NULL;
+    PSECURITY_DESCRIPTOR pSecurityDescriptor = { 0 };
+    DWORD dwErr = GetNamedSecurityInfo(pwszPath, SE_FILE_OBJECT, GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION,
+                                       NULL, NULL, NULL, NULL, &pSecurityDescriptor);
+    if (dwErr == ERROR_SUCCESS)
+    {
+        BOOL fDaclPresent          = FALSE;
+        BOOL fDaclDefaultedIgnored = FALSE;
+        if (GetSecurityDescriptorDacl(pSecurityDescriptor, &fDaclPresent,
+                                      &pDacl, &fDaclDefaultedIgnored))
+        {
+            if (   !fDaclPresent
+                || !pDacl)
+            {
+                /* Bail out early if the DACL isn't provided or is missing. */
+                vrc = VERR_INVALID_NAME;
+            }
+            else
+            {
+                ACL_SIZE_INFORMATION aclSizeInfo;
+                RT_ZERO(aclSizeInfo);
+                if (GetAclInformation(pDacl, &aclSizeInfo, sizeof(aclSizeInfo), AclSizeInformation))
+                {
+                    for(DWORD idxACE = 0; idxACE < aclSizeInfo.AceCount; idxACE++)
+                    {
+                        ACE_HEADER *pAceHdr = NULL;
+                        if (GetAce(pDacl, idxACE, (LPVOID *)&pAceHdr))
+                        {
+#ifdef DEBUG
+                            logStringF(hModule, "checkTargetDirOne: ACE type=%s, flags=%#x, size=%#x",
+                                       dbgAceTypeToString(pAceHdr->AceType), pAceHdr->AceFlags, pAceHdr->AceSize);
+#endif
+                            /* Note: We print the ACEs in canonoical order. */
+                            switch (pAceHdr->AceType)
+                            {
+                                case ACCESS_ALLOWED_ACE_TYPE: /* We're only interested in the ALLOW ACE. */
+                                {
+                                    ACCESS_ALLOWED_ACE const *pAce = (ACCESS_ALLOWED_ACE *)pAceHdr;
+                                    PSID const pSid                = (PSID)&pAce->SidStart;
+#ifdef DEBUG
+                                    char *pszSid = dbgSidToNameA(pSid);
+                                    logStringF(hModule, "checkTargetDirOne:\t%s fMask=%#x", pszSid, pAce->Mask);
+                                    RTStrFree(pszSid);
+#endif
+                                    /* We check the flags here first for performance reasons. */
+                                    if ((pAce->Mask & pCtx->fAccessMaskForbidden) == pCtx->fAccessMaskForbidden)
+                                    {
+                                        for (size_t idxSID = 0; idxSID < pCtx->cWellKnownSidsForbidden; idxSID++)
+                                        {
+                                            PSID const pSidForbidden = pCtx->paWellKnownSidsForbidden[idxSID];
+                                            bool const fForbidden    = EqualSid(pSid, pSidForbidden);
+#ifdef DEBUG
+                                            char *pszName = dbgSidToNameA(pSidForbidden);
+                                            logStringF(hModule, "checkTargetDirOne:\t%s : %s",
+                                                       fForbidden ? "** FORBIDDEN **" : "ALLOWED        ", pszName);
+                                            RTStrFree(pszName);
+#endif /* DEBUG */
+                                            if (fForbidden)
+                                            {
+                                                vrc = VERR_INVALID_NAME;
+                                                break;
+                                            }
+                                        }
+                                    }
+
+                                    break;
+                                }
+
+                                case ACCESS_DENIED_ACE_TYPE: /* We're only interested in the ALLOW ACE. */
+                                {
+                                    ACCESS_DENIED_ACE const *pAce = (ACCESS_DENIED_ACE *)pAceHdr;
+#ifdef DEBUG
+                                    LPWSTR pwszSid = NULL;
+                                    ConvertSidToStringSid((PSID)&pAce->SidStart, &pwszSid);
+
+                                    logStringF(hModule, "checkTargetDirOne:\t%ls fMask=%#x (generic %#x specific %#x)",
+                                               pwszSid ? pwszSid : L"<Allocation Error>", pAce->Mask);
+#endif /* DEBUG */
+                                    LocalFree(pwszSid);
+
+                                    /* Ignore everything else. */
+                                    break;
+                                }
+                            }
+                        }
+                        else
+                            dwErr = GetLastError();
+
+                        /* No point in checking further if we failed somewhere above. */
+                        if (RT_FAILURE(vrc))
+                            break;
+
+                    } /* for ACE */
+                }
+                else
+                    dwErr = GetLastError();
+            }
+        }
+        else
+            dwErr = GetLastError();
+
+        LocalFree(pSecurityDescriptor);
+    }
+    else
+        dwErr = GetLastError();
+
+    if (RT_SUCCESS(vrc))
+        vrc = RTErrConvertFromWin32(dwErr);
+
+#ifdef DEBUG
+    logStringF(hModule, "checkTargetDirOne: Returning %Rrc", vrc);
+#endif
+
+    if (   RT_FAILURE(vrc)
+        && vrc != VERR_INVALID_NAME)
+        logStringF(hModule, "checkTargetDirOne: Failed with %Rrc (%#x)", vrc, dwErr);
+
+    return vrc;
+}
+
+/**
+ * Checks whether the path in the public property INSTALLDIR has the correct ACL permissions and returns whether
+ * it's valid or not.
+ *
+ * Called from the MSI installer as a custom action.
+ *
+ * @returns Success status (acccording to MSI custom actions).
+ * @retval  ERROR_SUCCESS if checking the target directory turned out to be valid.
+ * @retval  ERROR_NO_NET_OR_BAD_PATH is the target directory is invalid.
+ * @param   hModule             Windows installer module handle.
+ *
+ * @note    Sets private property VBox_Target_Dir_Is_Valid to "1" (true) if the given target path is valid,
+ *          or "0" (false) if it is not. An empty target directory is considered to be valid (i.e. INSTALLDIR not set yet).
+ *
+ * @sa      @bugref{10616}
+ */
+UINT __stdcall CheckTargetDir(MSIHANDLE hModule)
+{
+    char *pszTargetDir;
+
+    int vrc = VBoxGetMsiPropUtf8(hModule, "INSTALLDIR", &pszTargetDir);
+    if (RT_SUCCESS(vrc))
+    {
+        logStringF(hModule, "CheckTargetDir: Checking target directory '%s' ...", pszTargetDir);
+
+        if (!RTStrNLen(pszTargetDir, RTPATH_MAX))
+        {
+            logStringF(hModule, "CheckTargetDir: No INSTALLDIR set (yet), skipping ...");
+            VBoxSetMsiProp(hModule, L"VBox_Target_Dir_Is_Valid", L"1");
+        }
+        else
+        {
+            union
+            {
+                RTPATHPARSED    Parsed;
+                uint8_t         ab[RTPATH_MAX];
+            } u;
+
+            vrc = RTPathParse(pszTargetDir, &u.Parsed, sizeof(u), RTPATH_STR_F_STYLE_DOS);
+            if (RT_SUCCESS(vrc))
+            {
+                if (u.Parsed.fProps & RTPATH_PROP_DOTDOT_REFS)
+                    vrc = VERR_INVALID_PARAMETER;
+                if (RT_SUCCESS(vrc))
+                {
+                    vrc = initTargetDirSecurityCtx(&g_TargetDirSecCtx, hModule, pszTargetDir);
+                    if (RT_SUCCESS(vrc))
+                    {
+                        uint16_t idxComp = u.Parsed.cComps;
+                        char     szPathToCheck[RTPATH_MAX];
+                        while (idxComp > 1) /* We traverse backwards from INSTALLDIR and leave out the root (e.g. C:\"). */
+                        {
+                            u.Parsed.cComps = idxComp;
+                            vrc = RTPathParsedReassemble(pszTargetDir, &u.Parsed, RTPATH_STR_F_STYLE_DOS,
+                                                         szPathToCheck, sizeof(szPathToCheck));
+                            if (RT_FAILURE(vrc))
+                                break;
+                            if (RTDirExists(szPathToCheck))
+                            {
+                                vrc = checkTargetDirOne(hModule, &g_TargetDirSecCtx, szPathToCheck);
+                                if (RT_FAILURE(vrc))
+                                    break;
+                            }
+                            else
+                                logStringF(hModule, "CheckTargetDir: Path '%s' does not exist (yet)", szPathToCheck);
+                            idxComp--;
+                        }
+
+                        destroyTargetDirSecurityCtx(&g_TargetDirSecCtx);
+                    }
+                    else
+                        logStringF(hModule, "CheckTargetDir: initTargetDirSecurityCtx failed with %Rrc\n", vrc);
+
+                    if (RT_SUCCESS(vrc))
+                        VBoxSetMsiProp(hModule, L"VBox_Target_Dir_Is_Valid", L"1");
+                }
+            }
+            else
+                logStringF(hModule, "CheckTargetDir: Parsing path failed with %Rrc", vrc);
+        }
+
+        RTStrFree(pszTargetDir);
+    }
+
+    if (RT_FAILURE(vrc)) /* On failure (or when in doubt), mark the installation directory as invalid. */
+    {
+        logStringF(hModule, "CheckTargetDir: Checking failed with %Rrc", vrc);
+        VBoxSetMsiProp(hModule, L"VBox_Target_Dir_Is_Valid", L"0");
+    }
+
+    /* Return back outcome to the MSI engine. */
+    return RT_SUCCESS(vrc) ? ERROR_SUCCESS : ERROR_NO_NET_OR_BAD_PATH;
 }
 

trunk/src/VBox/Installer/win/InstallHelper/VBoxInstallHelper.def

@@ -30 +30 @@
     IsSerialCheckNeeded
     CheckSerial
+    CheckTargetDir
     IsMSCRTInstalled
     IsPythonInstalled
@@ -39 +40 @@
     InstallNetFlt
     UninstallNetFlt
-        UninstallNetAdp
-        InstallNetLwf
+    UninstallNetAdp
+    InstallNetLwf
     UninstallNetLwf
     UninstallTAPInstances

trunk/src/VBox/Installer/win/NLS/de_DE.wxl

@@ -64 +64 @@
     <String Id="VB_NetLwfDriver">[ProductName] Treiber für NDIS6-Netzwerkbrücke.</String>
     <String Id="VB_NetAdp6Driver">[ProductName] Treiber für virtuellen Netzwerk-Adapter für NDIS6-Host-only-Netzwerke.</String>
-
-  <String Id="VB_Python">Python-Support für VirtualBox.</String>
+    <String Id="VB_Python">Python-Support für VirtualBox.</String>
 
     <!---->
@@ -76 +75 @@
     <String Id="SunFound">Eine alte Sun Version von VirtualBox wurde auf diesem Computer gefunden. Bitte deinstallieren Sie diese Version zuerst. Danach können Sie [ProductName] installieren!</String>
     <String Id="InnotekFound">Eine alte innotek Version von VirtualBox wurde auf diesem Computer gefunden. Bitte deinstallieren Sie diese Version zuerst. Danach können Sie [ProductName] installieren!</String>
+    <String Id="InvalidTargetDir">Ungültiges Installationsverzeichnis angegeben. Bitte ein anderes Installationsverzeichnis wählen, um [ProductName] zu installieren.</String>
 
     <!---->
@@ -92 +92 @@
     <String Id="LicenseAgreementDlg_Accept">Ich &amp;akzeptiere die Bedingungen des Lizenzvertrags.</String>
     <String Id="LicenseAgreementDlg_Decline">Ich &amp;akzeptiere die Bedingungen des Lizenzvertrags nicht.</String>
+
+    <!---->
+    <String Id="InvalidTargetDirDlg_Header">Ungültiges Installationsverzeichnis</String>
+    <String Id="InvalidTargetDirDlg_Desc1">Das gewählte Installationsverzeichnis is ungültig, da dieses nicht den Sicherheitsrichtlinien entspricht.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Bitte ein anderes Installationsverzeichnis wählen um [ProductName] zu installieren.</String>
 
     <!---->

trunk/src/VBox/Installer/win/NLS/el_GR.wxl

@@ -64 +64 @@
     <String Id="VB_NetLwfDriver">Οδηγός [ProductName] για NDIS6 γεφυρωμένα δίκτυα.</String>
     <String Id="VB_NetAdp6Driver">Οδηγός [ProductName] εικονικής κάρτας δικτύου για NDIS6 μόνο-με-οικοδεσπότη δίκτυα.</String>
-
     <String Id="VB_Python">Υποστήριξη Python για το VirtualBox.</String>
 
@@ -76 +75 @@
     <String Id="SunFound">Βρέθηκε μία παλιότερη εγκατάσταση του Sun VirtualBox στον υπολογιστή. Καταργήστε πρώτα την εγκατάσταση αυτού του πακέτου και μετά εγκαταστήστε το [ProductName]!</String>
     <String Id="InnotekFound">Βρέθηκε μία παλιότερη εγκατάσταση του innotek VirtualBox στον υπολογιστή. Καταργήστε πρώτα την εγκατάσταση αυτού του πακέτου και μετά εγκαταστήστε το [ProductName]!</String>
+    <String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
 
     <!---->
@@ -92 +92 @@
     <String Id="LicenseAgreementDlg_Accept">Αποδέχομαι τους όρους της Άδειας Χρήσης</String>
     <String Id="LicenseAgreementDlg_Decline">Δεν αποδέχομαι τους όρους της Άδειας Χρήσης</String>
+
+    <!---->
+
+    <String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+    <String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
 
     <!---->

trunk/src/VBox/Installer/win/NLS/en_US.wxl

@@ -64 +64 @@
     <String Id="VB_NetLwfDriver">[ProductName] driver for NDIS6 Bridged Networking.</String>
     <String Id="VB_NetAdp6Driver">[ProductName] virtual network adapter driver for NDIS6 Host-Only Networking.</String>
-
     <String Id="VB_Python">Python support for VirtualBox.</String>
 
@@ -76 +75 @@
     <String Id="SunFound">An old Sun VirtualBox installation has been found on this machine. Please uninstall this package first and then install [ProductName]!</String>
     <String Id="InnotekFound">An old innotek VirtualBox installation has been found on this machine. Please uninstall this package first and then install [ProductName]!</String>
+    <String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
 
     <!---->
@@ -92 +92 @@
     <String Id="LicenseAgreementDlg_Accept">I &amp;accept the terms in the License Agreement</String>
     <String Id="LicenseAgreementDlg_Decline">I &amp;do not accept the terms in the License Agreement</String>
+
+    <!---->
+
+    <String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+    <String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
 
     <!---->

trunk/src/VBox/Installer/win/NLS/fa_IR.wxl

@@ -59 +59 @@
     <String Id="VB_NetLwfDriver">[ProductName] driver for NDIS6 Bridged Networking.</String>
     <String Id="VB_NetAdp6Driver">[ProductName] virtual network adapter driver for NDIS6 Host-Only Networking.</String>
-
-  <String Id="VB_Python">پشتیبانی از پایتون برای ویرچوال باکس.</String>
+    <String Id="VB_Python">پشتیبانی از پایتون برای ویرچوال باکس.</String>
     <!---->
     <String Id="NeedAdmin">برای حذف [ProductName] شما نیاز به اجازه مدیر دارید! این راه انداز حالا لغو میشود.</String>
@@ -69 +68 @@
     <String Id="SunFound">یک نصب قدیمی ویرچوال باکس روی این رایانه یافت شد. لطفا اول این بسته را حذف سپس [ProductName] را نصب کنید!</String>
     <String Id="InnotekFound">یک نسخه قدیمی نصب ویرچوال باکس در این ماشین یافت شد. لطفا اول این بسته را حذف و سپس [ProductName] را نصب کنید!</String>
+    <String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
     <!---->
     <String Id="CancelDlg_Question">آیا میخواهید نصب [ProductName] را لغو کنید؟</String>
@@ -79 +79 @@
     <String Id="LicenseAgreementDlg_Accept">&amp;من ضوابط را در توافقنامه مجوز می پذیرم</String>
     <String Id="LicenseAgreementDlg_Decline">&amp;من ضوابط را در توافقنامه مجوز نمی پذیرم</String>
+    <!---->
+    <String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+    <String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
     <!---->
     <String Id="CheckSerialDlg_Header">شماره سریال</String>

trunk/src/VBox/Installer/win/NLS/fr_FR.wxl

@@ -64 +64 @@
     <String Id="VB_NetLwfDriver">[ProductName] driver for NDIS6 Bridged Networking.</String>
     <String Id="VB_NetAdp6Driver">[ProductName] virtual network adapter driver for NDIS6 Host-Only Networking.</String>
-
-  <String Id="VB_Python">Python support for VirtualBox.</String>
+    <String Id="VB_Python">Python support for VirtualBox.</String>
 
     <!---->
@@ -75 +74 @@
     <String Id="Only64Bit">Cette application ne marche que sur des systèmes Windows 64-bit. Veuillez installer la version 32-bit de [ProductName]!</String>
     <String Id="InnotekFound">Vous avez une ancienne installation de innotek VirtualBox sur cette machine. Il vous faudra la désinstaller avant de pouvoir installer [ProductName].</String>
+    <String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
 
     <!---->
@@ -91 +91 @@
     <String Id="LicenseAgreementDlg_Accept">J'&amp;accepte les termes du Contrat de licence</String>
     <String Id="LicenseAgreementDlg_Decline">Je &amp;n'accepte pas les termes du Contrat de licence</String>
+
+    <!---->
+
+    <String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+    <String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
 
     <!---->

trunk/src/VBox/Installer/win/NLS/it_IT.wxl

@@ -59 +59 @@
     <String Id="VB_NetLwfDriver">Driver di [ProductName] per la rete con bridge NDIS6.</String>
     <String Id="VB_NetAdp6Driver">Driver di [ProductName] per la scheda di rete virtuale per la rete solo host NDIS6.</String>
-
-  <String Id="VB_Python">Supporto Python per VirtualBox.</String>
+    <String Id="VB_Python">Supporto Python per VirtualBox.</String>
     <!---->
     <String Id="NeedAdmin">Devi avere diritti di amministrazione per (dis)installare [ProductName]! L'installazione sarà interrotta immediatamente.</String>
@@ -69 +68 @@
     <String Id="SunFound">Una vecchia installazione di Sun VirtualBox è stata trovata su questa macchina. Disinstalla prima questo pacchetto e poi installa [ProductName]!</String>
     <String Id="InnotekFound">Una vecchia installazione di innotek VirtualBox è stata trovata su questa macchina. Disinstalla prima questo pacchetto e poi installa [ProductName]!</String>
+    <String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
     <!---->
     <String Id="CancelDlg_Question">Sei sicuro di voler annullare l'installazione di [ProductName]?</String>
@@ -79 +79 @@
     <String Id="LicenseAgreementDlg_Accept">&amp;Accetto i termini dell'accordo di licenza</String>
     <String Id="LicenseAgreementDlg_Decline">&amp;Non accetto i termini dell'accordo di licenza</String>
+    <!---->
+    <String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+    <String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
     <!---->
     <String Id="CheckSerialDlg_Header">Numero di serie</String>

trunk/src/VBox/Installer/win/NLS/ru_RU.wxl

@@ -64 +64 @@
     <String Id="VB_NetLwfDriver">[ProductName] driver for NDIS6 Bridged Networking.</String>
     <String Id="VB_NetAdp6Driver">[ProductName] virtual network adapter driver for NDIS6 Host-Only Networking.</String>
-
     <String Id="VB_Python">Python support for VirtualBox.</String>
 
@@ -76 +75 @@
     <String Id="SunFound">An old Sun VirtualBox installation has been found on this machine. Please uninstall this package first and then install [ProductName]!</String>
     <String Id="InnotekFound">An old innotek VirtualBox installation has been found on this machine. Please uninstall this package first and then install [ProductName]!</String>
+    <String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
 
     <!---->
@@ -92 +92 @@
     <String Id="LicenseAgreementDlg_Accept">I &amp;accept the terms in the License Agreement</String>
     <String Id="LicenseAgreementDlg_Decline">I &amp;do not accept the terms in the License Agreement</String>
+
+    <!---->
+
+    <String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+    <String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
 
     <!---->

trunk/src/VBox/Installer/win/NLS/tr_TR.wxl

@@ -64 +64 @@
     <String Id="VB_NetLwfDriver">NDIS6 Köprü Ağı Oluşturma için [ProductName] sürücüsü.</String>
     <String Id="VB_NetAdp6Driver">NDIS6 Yalnızca-Anamakine Ağı Oluşturma için [ProductName] sanal ağ bağdaştırıcısı sürücüsü.</String>
-
-  <String Id="VB_Python">VirtualBox için Python desteği.</String>
+    <String Id="VB_Python">VirtualBox için Python desteği.</String>
 
     <!---->
@@ -76 +75 @@
     <String Id="SunFound">Bu makinede eski bir Sun VirtualBox kurulumu bulundu. Lütfen önce bu paketi kaldırın ve sonra [ProductName] yükleyin!</String>
     <String Id="InnotekFound">Bu makinede eski bir innotek VirtualBox kurulumu bulundu. Lütfen önce bu paketi kaldırın ve sonra [ProductName] yükleyin!</String>
+    <String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
 
     <!---->
@@ -92 +92 @@
     <String Id="LicenseAgreementDlg_Accept">Lisans Sözleşmesi içindeki şartları kabul e&amp;diyorum</String>
     <String Id="LicenseAgreementDlg_Decline">Lisans Sözleşmesi içindeki şartları kabul e&amp;tmiyorum</String>
+
+    <!---->
+
+    <String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+    <String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
 
     <!---->

trunk/src/VBox/Installer/win/NLS/zh_CN.wxl

@@ -64 +64 @@
 <String Id="VB_NetLwfDriver">[ProductName] driver for NDIS6 Bridged Networking.</String>
 <String Id="VB_NetAdp6Driver">[ProductName] virtual network adapter driver for NDIS6 Host-Only Networking.</String>
-
 <String Id="VB_Python">VirtualBox 的 Python 支持。</String>
 
@@ -76 +75 @@
 <String Id="SunFound">在此计算机发现旧的 Sun VirtualBox 安装。 请先卸载此组件然后安装 [ProductName]！</String>
 <String Id="InnotekFound">在此计算机发现旧的 innotek VirtualBox 安装。 请先卸载此组件然后安装 [ProductName]！</String>
+<String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
 
 <!---->
@@ -92 +92 @@
 <String Id="LicenseAgreementDlg_Accept">我接受授权协议中条款(&amp;A)</String>
 <String Id="LicenseAgreementDlg_Decline">我不接受授权协议中条款(&amp;D)</String>
+
+<!---->
+
+<String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+<String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+<String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
 
 <!---->

trunk/src/VBox/Installer/win/NLS/zh_TW.wxl

@@ -64 +64 @@
     <String Id="VB_NetLwfDriver">[ProductName] 驅動程式針對 NDIS6 橋接網路。</String>
     <String Id="VB_NetAdp6Driver">[ProductName] 虛擬網路介面卡針對 NDIS6 「僅限主機」網路。</String>
-
     <String Id="VB_Python">VirtualBox 的 Python 支援。</String>
 
@@ -76 +75 @@
     <String Id="SunFound">在此電腦發現舊的 Sun VirtualBox 安裝。 請先解除安裝此套件然後安裝 [ProductName]！</String>
     <String Id="InnotekFound">在此電腦發現舊的 innotek VirtualBox 安裝。 請先解除安裝此套件然後安裝 [ProductName]！</String>
+    <String Id="InvalidTargetDir">Invalid installation directory specified! Please use another installation directory to install [ProductName].</String>
 
     <!---->
@@ -92 +92 @@
     <String Id="LicenseAgreementDlg_Accept">我接受授權協議中條款(&amp;A)</String>
     <String Id="LicenseAgreementDlg_Decline">我不接受授權協議中條款(&amp;D)</String>
+
+    <!---->
+
+    <String Id="InvalidTargetDirDlg_Header">Invalid installation directory</String>
+    <String Id="InvalidTargetDirDlg_Desc1">The chosen installation directory is invalid, as it does not meet the security requirements.</String>
+    <String Id="InvalidTargetDirDlg_Desc2">Please choose another directory for installing [ProductName].</String>
 
     <!---->

trunk/src/VBox/Installer/win/UserInterface.wxi

@@ -207 +207 @@
         </Dialog>
 
+        <!-- Shows a dialog which tells the user that the chosen installation directory is invalid and therefore cannot be used. -->
+        <Dialog Id="VBoxInvalidTargetDirDlg" Width="370" Height="270" Title="[ProductName] !(loc.Setup)" NoMinimize="yes">
+
+            <!-- The wizard has a bitmap as background. The source is defined as a property below. -->
+            <Control Id="Bitmap" Type="Bitmap" X="0" Y="0" Width="370" Height="234" TabSkip="no" Text="[DialogBitmap]" />
+
+            <!-- Title text drawn on the background -->
+            <Control Id="Title" Type="Text" X="135" Y="20" Width="220" Height="60" Transparent="yes" NoPrefix="yes">
+                <Text>{\DlgInvalidSerial}!(loc.InvalidTargetDirDlg_Header)</Text>
+            </Control>
+
+            <!-- Text saying what we gonna do -->
+            <Control Id="Description" Type="Text" X="135" Y="70" Width="220" Height="130" Transparent="yes" NoPrefix="yes">
+                <Text>!(loc.InvalidTargetDirDlg_Desc1)</Text>
+            </Control>
+
+            <Control Id="Description2" Type="Text" X="135" Y="95" Width="220" Height="130" Transparent="yes" NoPrefix="yes">
+                <Text>!(loc.InvalidTargetDirDlg_Desc2)</Text>
+            </Control>
+
+            <!-- And a line for looking nice... -->
+            <Control Id="BottomLine" Type="Line" X="0" Y="234" Width="370" Height="0" />
+
+            <!-- Build number text drawn left bottom -->
+            <Control Id="Build" Type="Text" X="20" Y="247" Width="220" Height="10" Transparent="yes" NoPrefix="yes">
+                <Text>[Version_text] $(var.Property_Version)</Text>
+            </Control>
+
+            <Control Id="Back" Type="PushButton" X="236" Y="243" Width="56" Height="17" Default="yes" Text="!(loc.ButtonText_Back)"/>
+
+            <!-- Canceling will bring up a confirmation dialog ('SpawnDialog' attribute) -->
+            <Control Id="Cancel" Type="PushButton" X="304" Y="243" Width="56" Height="17" Cancel="yes" Text="!(loc.ButtonText_Cancel)">
+                <Publish Event="SpawnDialog" Value="VBoxCancelDlg">1</Publish>
+            </Control>
+
+        </Dialog>
+
         <!-- Dialog used to set another installation path. This is taken from the tutorial template on the web and can also be
              used for package selection etc. if necessary after some tweaking. -->
@@ -221 +258 @@
                 <Text>!(loc.CustomizeDlg_IconTree)</Text>
             </Control>
-            <Control Id="Tree" Type="SelectionTree" X="25" Y="85" Width="175" Height="95" Property="_BrowseProperty"
+            <Control Id="Tree" Type="SelectionTree" X="25" Y="85" Width="175" Height="95" Property="VBOX_TARGET_DIR"
                      Sunken="yes" TabSkip="no" Text="Tree of selections" />
             <Control Id="Browse" Type="PushButton" X="304" Y="200" Width="56" Height="17" Text="!(loc.ButtonText_Browse)">
@@ -466 +503 @@
         <!-- Dialog used to change the installation directory -->
         <Dialog Id="VBoxBrowseDlg" Width="370" Height="270" Title="[ProductName] !(loc.Setup)" NoMinimize="yes">
-            <Control Id="PathEdit" Type="PathEdit" X="84" Y="202" Width="261" Height="18" Property="_BrowseProperty" Indirect="yes" />
-            <Control Id="OK" Type="PushButton" X="304" Y="243" Width="56" Height="17" Default="yes" Text="!(loc.ButtonText_OK)">
-                <Publish Event="SetTargetPath" Value="[_BrowseProperty]">1</Publish>
-                <Publish Event="EndDialog" Value="Return">1</Publish>
-            </Control>
-            <Control Id="Cancel" Type="PushButton" X="240" Y="243" Width="56" Height="17" Cancel="yes" Text="!(loc.ButtonText_Cancel)">
-                <Publish Event="Reset" Value="0">1</Publish>
-                <Publish Event="EndDialog" Value="Return">1</Publish>
-            </Control>
+            <Control Id="PathEdit" Type="PathEdit" X="84" Y="202" Width="261" Height="18" Property="VBOX_TARGET_DIR" Indirect="yes" />
+            <Control Id="OK" Type="PushButton" X="304" Y="243" Width="56" Height="17" Default="yes" Text="!(loc.ButtonText_OK)" />
+            <Control Id="Cancel" Type="PushButton" X="240" Y="243" Width="56" Height="17" Cancel="yes" Text="!(loc.ButtonText_Cancel)"/>
             <Control Id="ComboLabel" Type="Text" X="25" Y="58" Width="44" Height="10" TabSkip="no" Text="!(loc.BrowseDlg_LookIn)" />
             <Control Id="DirectoryCombo" Type="DirectoryCombo" X="70" Y="55" Width="220" Height="80"
-                     Property="_BrowseProperty" Indirect="yes" Fixed="yes" Remote="yes">
+                     Property="VBOX_TARGET_DIR" Indirect="yes" Fixed="yes" Remote="yes">
                 <Subscribe Event="IgnoreChange" Attribute="IgnoreChange" />
             </Control>
@@ -488 +519 @@
             </Control>
             <Control Id="DirectoryList" Type="DirectoryList" X="25" Y="83" Width="320" Height="110"
-                     Property="_BrowseProperty" Sunken="yes" Indirect="yes" TabSkip="no" />
+                     Property="VBOX_TARGET_DIR" Sunken="yes" Indirect="yes" TabSkip="no" />
             <Control Id="PathLabel" Type="Text" X="25" Y="205" Width="59" Height="10" TabSkip="no" Text="!(loc.BrowseDlg_FolderName)" />
             <Control Id="BannerBitmap" Type="Bitmap" X="0" Y="0" Width="370" Height="44" TabSkip="no" Text="[BannerBitmap]" />
@@ -1178 +1209 @@
         <Publish Dialog="VBoxWrongSerialDlg" Control="Back" Event="NewDialog" Value="VBoxCheckSerialDlg">1</Publish>
 
-        <!-- Note: We have to set (1) or unset ({}) the properties first (see order #), as those will be needed for further routing. -->
-        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_WARN_PYTHONAPI_DLG" Value="1" Order="1"><![CDATA[(&VBoxPython=3) AND (VBOX_PYTHON_DEPS_INSTALLED="0")]]></Publish>
-        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_WARN_PYTHONAPI_DLG" Value="{}" Order="2"><![CDATA[(&VBoxPython<3)]]></Publish>
-        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_WARN_DISCONNECTIFACES_DLG" Value="1" Order="3"><![CDATA[&VBoxNetworkFlt=3]]></Publish>
-        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_WARN_DISCONNECTIFACES_DLG" Value="{}" Order="4"><![CDATA[&VBoxNetworkFlt<3]]></Publish>
-        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxWarnDisconNetIfacesDlg" Order="10"><![CDATA[VBOX_SHOW_WARN_DISCONNECTIFACES_DLG]]></Publish>
-        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxWarnPythonDlg" Order="11"><![CDATA[VBOX_SHOW_WARN_PYTHONAPI_DLG AND (NOT VBOX_SHOW_WARN_DISCONNECTIFACES_DLG)]]></Publish>
-        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxCustomize2Dlg" Order="12"><![CDATA[VBOX_SHOW_CUSTOMIZE2_DLG AND (NOT VBOX_SHOW_WARN_DISCONNECTIFACES_DLG) AND (NOT VBOX_SHOW_WARN_PYTHONAPI_DLG)]]></Publish>
-        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxVerifyReadyDlg" Order="13"><![CDATA[(NOT VBOX_SHOW_CUSTOMIZE2_DLG) AND (NOT VBOX_SHOW_WARN_DISCONNECTIFACES_DLG) AND (NOT VBOX_SHOW_WARN_PYTHONAPI_DLG)]]></Publish>
+        <Publish Dialog="VBoxBrowseDlg" Control="OK" Event="SetTargetPath" Value="[VBOX_TARGET_DIR]" Order="1">1</Publish>
+        <Publish Dialog="VBoxBrowseDlg" Control="OK" Event="EndDialog" Value="Return" Order="2">1</Publish>
+        <Publish Dialog="VBoxBrowseDlg" Control="Cancel" Event="Reset" Value="0" Order="1">1</Publish>
+        <Publish Dialog="VBoxBrowseDlg" Control="Cancel" Event="EndDialog" Value="Return" Order="2">1</Publish>
+
+        <Publish Dialog="VBoxInvalidTargetDirDlg" Control="Back" Event="NewDialog" Value="VBoxCustomizeDlg">1</Publish>
+
+        <!-- Note:  We have to set (1) or unset ({}) the properties first (see order #), as those will be needed for further routing.
+             Note2: I'd love to make this easier to read/follow, but this is how Windows Installer XML works for processing all these events, sigh. -->
+
+        <!-- Check if the chosen installation directory turned out to be invalid by calling our installation helper DLL
+             and performing a custom action. See @bugref{10616} -->
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="DoAction" Value="ca_CheckTargetDirPre" Order="1">1</Publish>
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_INVALID_TARGET_DLG" Value="1" Order="2"><![CDATA[VBox_Target_Dir_Is_Valid="0"]]></Publish>
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_WARN_PYTHONAPI_DLG" Value="1" Order="3"><![CDATA[(&VBoxPython=3) AND (VBOX_PYTHON_DEPS_INSTALLED="0")]]></Publish>
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_WARN_PYTHONAPI_DLG" Value="{}" Order="4"><![CDATA[(&VBoxPython<3)]]></Publish>
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_WARN_DISCONNECTIFACES_DLG" Value="1" Order="5"><![CDATA[&VBoxNetworkFlt=3]]></Publish>
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Property="VBOX_SHOW_WARN_DISCONNECTIFACES_DLG" Value="{}" Order="6"><![CDATA[&VBoxNetworkFlt<3]]></Publish>
+        <!-- Show an error dialog if the chosen installation directory was found to be invalid. See @bugref{10616} -->
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxInvalidTargetDirDlg" Order="10">1</Publish>
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxWarnDisconNetIfacesDlg" Order="11"><![CDATA[VBOX_SHOW_WARN_DISCONNECTIFACES_DLG]]></Publish>
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxWarnPythonDlg" Order="12"><![CDATA[VBOX_SHOW_WARN_PYTHONAPI_DLG AND (NOT VBOX_SHOW_WARN_DISCONNECTIFACES_DLG)]]></Publish>
+        <!-- Only allow going to the next stage if the chosen installation directory is valid. See @bugref{10616} -->
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxCustomize2Dlg" Order="13"><![CDATA[VBOX_SHOW_CUSTOMIZE2_DLG AND (NOT VBOX_SHOW_WARN_DISCONNECTIFACES_DLG) AND (NOT VBOX_SHOW_WARN_PYTHONAPI_DLG) AND (NOT VBox_Target_Dir_Is_Valid="0")]]></Publish>
+        <Publish Dialog="VBoxCustomizeDlg" Control="Next" Event="NewDialog" Value="VBoxVerifyReadyDlg" Order="14"><![CDATA[(NOT VBOX_SHOW_CUSTOMIZE2_DLG) AND (NOT VBOX_SHOW_WARN_DISCONNECTIFACES_DLG) AND (NOT VBOX_SHOW_WARN_PYTHONAPI_DLG)]]></Publish>
         <Publish Dialog="VBoxCustomizeDlg" Control="Back" Event="NewDialog" Value="VBoxCheckSerialDlg"><![CDATA[VBOX_SHOW_SERIAL_CHECK_DLG]]></Publish>
         <Publish Dialog="VBoxCustomizeDlg" Control="Back" Event="NewDialog" Value="VBoxLicenseAgreementDlg"><![CDATA[NOT VBOX_SHOW_SERIAL_CHECK_DLG]]></Publish>
@@ -1212 +1259 @@
             <Custom Action="ca_IsMSCRTInstalled" After="AppSearch" />
 <?endif?>
+            <Custom Action="ca_CheckTargetDirPre" After="AppSearch"/> <!-- Required for launch conditions. See @bugref{10616} -->
             <Custom Action="ca_OriginalTargetDir" After="FileCost"><![CDATA[(NOT INSTALLDIR) AND (NOT EXISTINGINSTALLDIR)]]></Custom>
             <Custom Action="ca_DefaultTargetDir" After="FileCost"><![CDATA[NOT Installed AND (NOT INSTALLDIR) AND EXISTINGINSTALLDIR]]></Custom>

trunk/src/VBox/Installer/win/VBoxMergeApp.wxi

@@ -128 +128 @@
                     Vital="yes">
             <ServiceDependency Id="RPCSS" />
+            <ServiceConfig ServiceSid="restricted" OnInstall="yes" OnReinstall="yes" />
         </ServiceInstall>
         <ServiceControl Id="VBoxSDSControl" Name="VBoxSDS" Stop="both" Remove="uninstall" />

trunk/src/VBox/Installer/win/VBoxMergeAppCA.wxi

@@ -36 +36 @@
                   DllEntry="IsWindows10" Execute="immediate" Return="ignore" Impersonate="no" />
 
+    <!-- Makes sure we check if the chosen target directory is valid before allowing to install. See @bugref{10616} -->
+    <CustomAction Id="ca_CheckTargetDirPre" BinaryKey="VBoxInstallHelper"
+                  DllEntry="CheckTargetDir" Execute="immediate" Return="ignore" Impersonate="no" />
+    <!-- Makes sure that the target directory we installed into still is valid. Rollback if it isn't. See @bugref{10616} -->
+    <CustomAction Id="ca_CheckTargetDirPost" BinaryKey="VBoxInstallHelper"
+                  DllEntry="CheckTargetDir" Execute="immediate" Return="check" Impersonate="no" />
 </Include>
 

trunk/src/VBox/Installer/win/VBoxMergeAppSeq.wxi

@@ -31 +31 @@
     <Custom Action="ca_IsMSCRTInstalled" After="AppSearch">1</Custom>
 <?endif?>
+    <!-- Required for lauch conditions. See @bugref{10616} -->
+    <Custom Action="ca_CheckTargetDirPre" After="AppSearch"/>
+    <!-- Check if the installation directory still fits our security requirements after we finalized installation.
+         See @bugref{10616} -->
+    <Custom Action="ca_CheckTargetDirPost" After="InstallFinalize"><![CDATA[NOT REMOVE]]></Custom>
 
     <Custom Action="ca_IsWindows10" After="FileCost">1</Custom>

trunk/src/VBox/Installer/win/VirtualBox.wxs

@@ -128 +128 @@
     </Condition>
 <?endif ?>
+    <!-- Check if the current INSTALLDIR is valid or not, or if VBox already is installed.
+         Thight might be handed-in via command line (MSI properties) or through a customized merge module. See @bugref{10616} -->
+    <Condition Message="!(loc.InvalidTargetDir)">
+        Installed OR (VBox_Target_Dir_Is_Valid="1")
+    </Condition>
 
     <!-- Detect old innotek installation -->