maxmustermann/PowerShell
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Move bypass execution policy check after AppLocker Deny check (#15035)

Browse source
This commit is contained in:
Travis Plunk 2021-03-22 11:25:01 -07:00 committed by GitHub
parent b001003670
commit f1b8798264
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 7 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/System.Management.Automation/security/SecurityManager.cs
View file

@ -140,10 +140,6 @@ namespace Microsoft.PowerShell
// Get the execution policy
_executionPolicy = SecuritySupport.GetExecutionPolicy(_shellId);
// See if they want to bypass the authorization manager
if (_executionPolicy == ExecutionPolicy.Bypass)
return true;
// Always check the SAFER APIs if code integrity isn't being handled system-wide through
// WLDP or AppLocker. In those cases, the scripts will be run in ConstrainedLanguage.
// Otherwise, block.
@ -184,6 +180,13 @@ namespace Microsoft.PowerShell
}
}
// WLDP and Applocker takes priority over powershell exeuction policy.
// See if they want to bypass the authorization manager
if (_executionPolicy == ExecutionPolicy.Bypass)
{
return true;
}
if (_executionPolicy == ExecutionPolicy.Unrestricted)
{
// Product binaries are always trusted