X-Git-Url: https://git.distorted.org.uk/u/mdw/putty/blobdiff_plain/3b2ffe3bea3504e907d8f39c473b9895dfd1d08e..bda368a515dc80afe90f2a35c3eb123b2489aa9f:/windows/winmisc.c

diff --git a/windows/winmisc.c b/windows/winmisc.c
index c7ac8357..d05a07ab 100644
--- a/windows/winmisc.c
+++ b/windows/winmisc.c
@@ -49,7 +49,7 @@ char *get_username(void)
 	static int tried_usernameex = FALSE;
 	if (!tried_usernameex) {
 	    /* Not available on Win9x, so load dynamically */
-	    HMODULE secur32 = LoadLibrary("SECUR32.DLL");
+	    HMODULE secur32 = load_system32_dll("secur32.dll");
 	    GET_WINDOWS_FUNCTION(secur32, GetUserNameExA);
 	    tried_usernameex = TRUE;
 	}
@@ -105,6 +105,33 @@ BOOL init_winver(void)
     return GetVersionEx ( (OSVERSIONINFO *) &osVersion);
 }
 
+HMODULE load_system32_dll(const char *libname)
+{
+    /*
+     * Wrapper function to load a DLL out of c:\windows\system32
+     * without going through the full DLL search path. (Hence no
+     * attack is possible by placing a substitute DLL earlier on that
+     * path.)
+     */
+    static char *sysdir = NULL;
+    char *fullpath;
+    HMODULE ret;
+
+    if (!sysdir) {
+	int size = 0, len;
+	do {
+	    size = 3*size/2 + 512;
+	    sysdir = sresize(sysdir, size, char);
+	    len = GetSystemDirectory(sysdir, size);
+	} while (len >= size);
+    }
+
+    fullpath = dupcat(sysdir, "\\", libname, NULL);
+    ret = LoadLibrary(fullpath);
+    sfree(fullpath);
+    return ret;
+}
+
 #ifdef DEBUG
 static FILE *debug_fp = NULL;
 static HANDLE debug_hdl = INVALID_HANDLE_VALUE;