NSIS: Quote uninstaller path when executing it in a shell

Protect our `$0` reference in the shell as `"$0"`.  Otherwise it works
with a space in the path only due to an insecure Windows feature.

Prior to this fix, any installer using the option added by commit
v2.8.9~234^2 (Added CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL,
2011-06-11) exposes a local privilege escalation vulnerability.

Reported-by: Amir Szekely <kichik@gmail.com>
Reported-by: Ug_0 Security

2 files changed, 7 insertions, 1 deletions

diff --git a/Help/release/3.6.rst b/Help/release/3.6.rst
index 771c9dd4cb..144537de0e 100644
--- a/Help/release/3.6.rst
+++ b/Help/release/3.6.rst
@@ -308,3 +308,9 @@ Other Changes
   preferred future use is upper cased component names in variables.
   New variables that will be added to CPackRPM in later versions
   will only support upper cased component variable format.
+
+* The CPack NSIS generator's configuration file template was fixed to
+  quote the path to the uninstaller tool used by the
+  :variable:`CPACK_NSIS_ENABLE_UNINSTALL_BEFORE_INSTALL` option.
+  This avoids depending on an insecure Windows feature to run an
+  uninstaller tool with a space in the path.
diff --git a/Modules/NSIS.template.in b/Modules/NSIS.template.in
index 1ef3d28c76..92a31422fb 100644
--- a/Modules/NSIS.template.in
+++ b/Modules/NSIS.template.in
@@ -920,7 +920,7 @@ uninst:
   ClearErrors
   StrLen $2 "\Uninstall.exe"
   StrCpy $3 $0 -$2 # remove "\Uninstall.exe" from UninstallString to get path
-  ExecWait '$0 _?=$3' ;Do not copy the uninstaller to a temp file
+  ExecWait '"$0" _?=$3' ;Do not copy the uninstaller to a temp file
 
   IfErrors uninst_failed inst
 uninst_failed: