Merge topic 'nsis-protect-uninst-exec'

11768733 NSIS: Quote uninstaller path when executing it in a shell

2 files changed, 7 insertions, 1 deletions

diff --git a/Help/release/3.6.rst b/Help/release/3.6.rst
index 771c9dd..144537d 100644
--- a/Help/release/3.6.rst
+++ b/Help/release/3.6.rst
@@ -308,3 +308,9 @@ Other Changes
   preferred future use is upper cased component names in variables.
   New variables that will be added to CPackRPM in later versions
   will only support upper cased component variable format.
+
+* The CPack NSIS generator's configuration file template was fixed to
+  quote the path to the uninstaller tool used by the
+  :variable:`CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL` option.
+  This avoids depending on an insecure Windows feature to run an
+  uninstaller tool with a space in the path.
diff --git a/Modules/NSIS.template.in b/Modules/NSIS.template.in
index 2de9e1d..c66a89b 100644
--- a/Modules/NSIS.template.in
+++ b/Modules/NSIS.template.in
@@ -913,7 +913,7 @@ uninst:
   ClearErrors
   StrLen $2 "\Uninstall.exe"
   StrCpy $3 $0 -$2 # remove "\Uninstall.exe" from UninstallString to get path
-  ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file
+  ExecWait '"$0" _?=$3' ;Do not copy the uninstaller to a temp file
 
   IfErrors uninst_failed inst
 uninst_failed: