Fix issues with security tokens (Enhanced Protected Mode, Protected Mode etc)

src/plugin/AdblockPlusClient.cpp

 #include "PluginStdAfx.h"
 #include "PluginSettings.h"
 #include "PluginSystem.h"
 #include "PluginFilter.h"
 #include "PluginClientFactory.h"
 #include "PluginMutex.h"
 #include "PluginClass.h"
 
 #include "AdblockPlusClient.h"
 
@@ skipping 31 matching lines @@
 
     BOOL createProcRes = 0;
     // Running inside AppContainer?
     if (acs != NULL && acs->TokenAppContainer != NULL)
     {
       // We need to break out from AppContainer. Launch with default security - registry entry will eat the user prompt
       // See http://msdn.microsoft.com/en-us/library/bb250462(v=vs.85).aspx#wpm_elebp
       createProcRes = CreateProcessW(engineExecutablePath.c_str(), params.GetBuffer(params.GetLength() + 1),
                               0, 0, false, 0, 0, 0, (STARTUPINFOW*)&startupInfo, &processInformation);
     }
     else

[Felix Dahlke, 2013/12/10 16:46:36]

This happens if the engine is first started from bing.com, right?

[Oleksandr, 2014/03/04 10:40:05]

yes. bing.com (or any other website from the exceptions list) or just not in
Enhanced Protected Mode.

On 2013/12/10 16:46:36, Felix H. Dahlke wrote:

     {
       // Launch with Low Integrity explicitly
       HANDLE newToken;
       DuplicateTokenEx(token, 0, 0, SecurityImpersonation, TokenPrimary, &newToken);
 
-      PSID pIntegritySid = 0;

[Felix Dahlke, 2013/12/10 16:46:36]

Less Hungarian please :D

-      BOOL res = ConvertStringSidToSid(L"S-1-16-4096", &pIntegritySid);

[Felix Dahlke, 2013/12/10 16:46:36]

Since the return value is ignored, there's no need to store it.

-      std::tr1::shared_ptr<SID> sharedIntegritySid(static_cast<SID*>(pIntegritySid), FreeSid); // Just to simplify cleanup
-
-      TOKEN_MANDATORY_LABEL tml = {0};

[Felix Dahlke, 2013/12/10 16:46:36]

Let's go with {} for consistency's sake.

+      PSID integritySid = 0;
+      ConvertStringSidToSid(L"S-1-16-4096", &integritySid);
+      std::tr1::shared_ptr<SID> sharedIntegritySid(static_cast<SID*>(integritySid), FreeSid); // Just to simplify cleanup
+
+      TOKEN_MANDATORY_LABEL tml = {};
       tml.Label.Attributes = SE_GROUP_INTEGRITY;
-      tml.Label.Sid = pIntegritySid;
+      tml.Label.Sid = integritySid;
 
       // Set the process integrity level
-      res = SetTokenInformation(newToken, TokenIntegrityLevel, &tml, sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(pIntegritySid));

[Felix Dahlke, 2013/12/10 16:46:36]

As above, no need to store the return value.

+      SetTokenInformation(newToken, TokenIntegrityLevel, &tml, sizeof(TOKEN_MANDATORY_LABEL) + GetLengthSid(integritySid));
 
       STARTUPINFO startupInfo = {};
       PROCESS_INFORMATION processInformation = {};
-      BOOL createProcRes = 0;

[Felix Dahlke, 2013/12/10 16:46:36]

Why redeclare the variable here? This means that when createProcRes is checked
further below, it's always 0.

 
       createProcRes = CreateProcessAsUserW(newToken, engineExecutablePath.c_str(), params.GetBuffer(params.GetLength() + 1),
                               0, 0, false, 0, 0, 0, (STARTUPINFOW*)&startupInfo, &processInformation);
     }
 
     if (!createProcRes)
     {
       throw std::runtime_error("Failed to start Adblock Plus Engine");
     }
 
@@ skipping 425 matching lines @@
 bool CAdblockPlusClient::TogglePluginEnabled()
 {
   DEBUG_GENERAL("TogglePluginEnabled");
   Communication::InputBuffer response;
   if (!CallEngine(Communication::PROC_TOGGLE_PLUGIN_ENABLED, response)) 
     return false;
   bool currentEnabledState;
   response >> currentEnabledState;
   return currentEnabledState;
 }