adamdc78
Posts: 76
Joined: Wed Mar 19, 2014 7:42 pm

Hidden properties logged in plain text when passed as CustomActionData

Wed Mar 08, 2017 10:44 pm

I have a property marked as hidden which stores a password needed by a deferred custom action, however I cannot get that data TO the custom action without exposing it in plain text to the logging!

The log lines in question are:
MSI (s) (10:7C) [15:01:05:803]: PROPERTY CHANGE: Adding MyCustomAction property. Its value is 'Key1=Value1 Key2="Value2" Key3="MyHiddenPropertyValue"'.
and
MSI (s) (10:7C) [15:01:19:663]: Executing op: CustomActionSchedule(Action=MyCustomAction,ActionType=3073,Source=BinaryData,Target=MyCustomAction,CustomActionData=Key1=Value1 Key2="Value2" Key3="MyHiddenPropertyValue")
What exactly is the point of the Hidden flag if the logging exposes the data anyway?

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Thu Mar 09, 2017 10:33 am

Hi,

When the "Hide property" flag is set for a property defined in "Install Parameters" page, it is indeed set not to be displayed in the log file. However, if the content of that property is assigned to another property, its content will be visible in the log.

If you want to hide a property that is not available in the "Install Parameters" page, you can create a "Set installer property" custom action and add it to the "MsiHiddenProperties" property.

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

adamdc78
Posts: 76
Joined: Wed Mar 19, 2014 7:42 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Thu Mar 09, 2017 3:09 pm

Let's assume that adding CustomActionData to MsiHiddenProperties works. That still doesn't stop it from being logged by CustomActionSchedule.

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Thu Mar 09, 2017 4:00 pm

Hi,

You may need to add the name of the custom action to the "MsiHiddenProperties" property, too. If it still doesn't work, can you please send me the .AIP (project file), a verbose log of the installation and the name of the problematic properties to support at advancedinstaller dot com, so I can investigate them?

Best regards,
Eusebiu
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Golden
Posts: 3
Joined: Tue Apr 25, 2017 2:14 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Wed Apr 26, 2017 8:16 am

Hi,
Followed the above steps still the issue not solved. Let me know whether the issue fixed? If so can you brief?

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Hidden properties logged in plain text when passed as CustomActionData

Thu Apr 27, 2017 8:22 am

Hello Golden,

We have investigated your sent project over email and the behaviour is encountered because the password is referred in another property, CustomActionData. CustomActionData property also needs to be hidden. For doing so, you have to create a new "Set Installer Property" custom action with sequence. Place this action before "Searches" action group. In the "Property" field of the custom action enter

Code: Select all

MsiHiddenProperties
and in the value field enter

Code: Select all

CustomActionData
All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

Golden
Posts: 3
Joined: Tue Apr 25, 2017 2:14 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Fri Apr 28, 2017 10:04 am

Thanks for your input. It works if we use inbuilt custom action like CheckIfUserExists but when we pass the properties like USER_PASSWORD as parameter to the dll custom action in Action Data, they appear in the log. Can you please let us know how to overcome it.

Daniel
Posts: 8237
Joined: Mon Apr 02, 2012 1:11 pm
Contact:  Website

Re: Hidden properties logged in plain text when passed as CustomActionData

Wed May 03, 2017 8:57 am

Hello Golden,

In this case, to hide the password written in the log file by your DLL custom action you will have to set the msidbCustomActionTypeHideTarget flag for your custom action.

You need to use the following steps:

1. Go to "Table Editor" page and select "Custom Action" table.
2. Select your dll custom action row and edit its "Type" field in the following way: add 8192 to its current value. For example if its current value is 38 you need to set it to 8230

All the best,
Daniel
Daniel Radu - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

ybe
Posts: 14
Joined: Fri Oct 09, 2020 9:27 am

Re: Hidden properties logged in plain text when passed as CustomActionData

Tue Jan 26, 2021 10:28 am

How do i add the "Set installer property" Custom Action to the "MsiHiddenProperties" property? I've tried for hours, but I've still not figured it out.

Note: MsiHiddenPrioperties does not exist in my Set installer property > Property.

Eusebiu
Posts: 4931
Joined: Wed Nov 14, 2012 2:04 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Tue Jan 26, 2021 1:19 pm

Hi,

Indeed, the "MsiHiddenProperties" property is not displayed in the property picker, but you can just write it manually as in the image below.

I hope this helps.

Best regards,
Eusebiu
Attachments
Set MsiHiddenPoperties.png
Set MsiHiddenPoperties.png (6.69KiB)Viewed 1892968 times
Eusebiu Aria - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

sasha
Posts: 21
Joined: Fri Oct 20, 2023 8:37 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Mon Jan 08, 2024 10:55 pm

I have now also noticed that some of the hidden properties are logged in a clear text. Indeed, they are passed as action data to a custom action (a VB script). In the log file they are present like this:

PROPERTY CHANGE: Adding XXX_Propertyproperty. Its value is YYY_clear_text.

I've followed the suggestions in this thread the best I could understand them, but that didn't work. In fact, it's probably worse now. The reason is that the existing hidden properties are now overwritten to the 'CustomActionData' value:

PROPERTY CHANGE: Modifying MsiHiddenProperties property. Its current value is 'ADDRESS;ACCOUNTNAME .... Its new value: 'CustomActionData'.

So, not clear what I should do to ensure a hidden property is not logged. Using AI 20.7.1

Thanks!

Catalin
Posts: 6506
Joined: Wed Jun 13, 2018 7:49 am

Re: Hidden properties logged in plain text when passed as CustomActionData

Tue Jan 09, 2024 4:48 pm

Hello Sasha,

If possible, could you please forward me, by email at support at advancedinstaller dot com a small sample project that reproduces this behavior (and, for instance, if you are using a DLL file for your custom action, please send that too under the same ZIP archive)?

I would like to run some tests and further investigate this, but it would really help to work on your exact scenario so I'm not wasting time on different scenarios.

Looking forward to hearing from you!

Best regards,
Catalin
Catalin Gheorghe - Advanced Installer Team
Follow us: Twitter - Facebook - YouTube

sasha
Posts: 21
Joined: Fri Oct 20, 2023 8:37 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Tue Jan 09, 2024 7:37 pm

Thanks for the reply, Catalin. I will try to come up with something :)


sasha
Posts: 21
Joined: Fri Oct 20, 2023 8:37 pm

Re: Hidden properties logged in plain text when passed as CustomActionData

Wed Jan 10, 2024 12:38 am

The receiving email server refused to accept the email with the .zip file attached:

Error: 550 5.0.350 One or more of the attachments in your email is of a file type that is NOT allowed by the recipient's organization.
Message rejected by: CY8PR11MB7135.namprd11.prod.outlook.com

Return to “Common Problems”