Fixed a security issue where you could get a browse dialog on a secure screen via addon manager#13056
Fixed a security issue where you could get a browse dialog on a secure screen via addon manager#13056trypsynth wants to merge 1 commit into
Conversation
…at the log on screen via addon manager.
|
Oops... I totally just realised I forgot to set this as a draft. Sorry, I can't figure out how to do it. |
|
Never mind, I'm such a newb. This should work |
|
To be honest, I didn’t think this PR was very useful before NVDA did not allow the management of addon on the security screen. I can now use this vulnerability to manage addon on the security screen. I admit that there are security risks, but I think NVDA should Provide users with a feasible solution as soon as possible to make it more convenient for users to manage the addon of the security screen. |
|
Yeah, maybe allow disabling/enabling of addons or something, but definitly not the browse dialog. This works for now though, I think. |
|
Yes, I hope NVDA can take this into consideration, even if the addon manager is opened on the security screen, the install plugin button is not displayed. |
|
Hi, this assumes that a copy of gestures.ini with a bound gesture for Add-ons Manager is copied to system config folder, and the “browse dialog” refers to add-on install procedure, correct? Also, please provide a hypothetical (or even better, an actual) output from cmd.exe that is run using the procedure listed in this PR for verification purposes (hypothetically, this should be looked at, but I think an actual output would provide a persuasive evidence). Lastly, I don’t know about NV Access, but for security issues, please use issue/PR pair as it provides a venue for folks to discuss security implications in one issue that can be referenced using a follow-up PR. Thanks.
|
|
@josephsl, yes. Something like this in gestures.ini |
|
Would any of this affect the ability to install from a portable copy to the
main machine complete with add ons?
Brian
***@***.***
Sent via blueyonder.
Please address personal E-mail to:-
***@***.***, putting 'Brian Gaff'
in the display name field.
Newsgroup monitored: alt.comp.blind-users
----- Original Message -----
From: "Quin" ***@***.***>
To: "nvaccess/nvda" ***@***.***>
Cc: "Subscribed" ***@***.***>
Sent: Sunday, November 14, 2021 5:11 AM
Subject: Re: [nvaccess/nvda] Fixed a security issue where you could get a
browse dialog on a secure screen via addon manager (PR #13056)
… @josephsl, yes. Something like this in gestures.ini
[globalCommands.GlobalCommands]
activateAddonsManager = kb(laptop):a+control+nvda+shift
And I'm slightly confused what you mean about cmd output? Fair enough
about the issue/PR thing though. I just figured because it was a 2-line
change, I'd just open a PR. But will keep that in mind for the future.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
#13056 (comment)
|
|
My preference would be either to disable the 'install' button in add-ons manager when in secure mode, or if we really want to disallow opening it on secure screens move this check inside |
|
OK. I found the lines in the addonGui to spawn the install button. Will close this PR, and open a new one (on a fresh branch) disabling that on secure screens :) |
Link to issue number:
None
Summary of the issue:
If a user bound a gesture to open the addon manager, and copied it to their config at secure screens, someone could press it, get a browse dialog, and run CMD as systemroot, as well as do all sorts of other things
Description of how this pull request fixes the issue:
Added a check in globalCommands.py to see if we're on a secure screen before opening the addon manager via a gesture.
Testing strategy:
Known issues with pull request:
None
Change log entries:
Not really sure if this deserves a CL entry, but if so...
Bug fixes
Code Review Checklist: