Merge rc to beta#14176
Merged
Merged
Conversation
Addresses GHSA-585m-rpvv-93qg Summary of the issue: NVDA introduced the report dev info script as a safe script for the lock screen in 2021.3.2 via #13328. This was under the assumption that the log viewer never shows up on the lock screen. However, using certain steps, the log viewer can be interacted with on the lock screen. Further steps allow opening the NVDA python console, allowing arbitrary code execution. Description of user facing changes The devInfo script (open the log viewer and report navigator object information) is no longer available on the lock screen. Description of development approach Remove devInfo from safe scripts Review the security of other scripts in safe scripts. Added additional security protection to ScreenExplorer used by touch interaction, as well as setting the review position with api.setReviewPosition. Testing strategy: Test with a self-signed build the STR in GHSA-585m-rpvv-93qg
See test results for failed build of commit b11ef9ae13 |
9088916 to
4f003eb
Compare
4f003eb to
73d9fa6
Compare
Contributor
|
Please have a look at 428622f#r84574470 before merging. |
See test results for failed build of commit 8feb183185 |
Member
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge rc to beta
Must be merge commit not squash merge