[bug] avoid installing in custom paths

A vulnerability in QtIFW produces improper ACLs to be set when
installing in custom locations. This can lead to privilege escalation if
a non-privileged user overwrites the openvpn binary. Thanks to
researchers at Tenable for finding and reporting this!

Impact is considered low-medium, since an installation outside of the
suggested path is needed to trigger the issue.

Privileged execution of openvpn should be abandoned in next release, in
favor of the interactive service.

A bug upstream should be filed since other projects could be affected by
this vulnerability too.

-Resolves: #569

2 files changed, 2 insertions, 1 deletions

diff --git a/branding/scripts/gen-qtinstaller b/branding/scripts/gen-qtinstaller
index 5b4d103..eb11d3b 100755
--- a/branding/scripts/gen-qtinstaller
+++ b/branding/scripts/gen-qtinstaller
@@ -27,7 +27,7 @@ OS_CONFIG = {
 """,
     'windows': """
     <!-- windows -->
-    <TargetDir>@ApplicationsDir@/$APPNAME</TargetDir>
+    <TargetDir>c:/Program Files (x86)/$APPNAME</TargetDir>
     <StartMenuDir>$APPNAME</StartMenuDir>
 
     <RunProgram>@TargetDir@/$BINNAME.exe</RunProgram>
diff --git a/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js b/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js
index b97d0a7..aa3da1f 100644
--- a/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js
+++ b/branding/templates/qtinstaller/packages/bitmaskvpn/meta/install.js
@@ -29,6 +29,7 @@ function Component() {
 
     console.log("OS: " + systemInfo.productType);
     console.log("Kernel: " + systemInfo.kernelType + "/" + systemInfo.kernelVersion);
+    installer.setDefaultPageVisible(QInstaller.TargetDirectory, false);
 
     var validOs = false;