Prevent Object Navigation Outside of the Lock Screen #13328
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
michaelDCurran
approved these changes
Feb 10, 2022
seanbudd
added a commit
that referenced
this pull request
Feb 18, 2022
Link to issue number: None, follow up on #5269 Summary of the issue: On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269. On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation. STR: 1. Press Windows+L 1. press containing object (NVDA+numpad8/NVDA+shift+upArrow), 1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system. 1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen. Microsoft is aware of this issue. Description of how this pull request fixes the issue: This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp. To prevent focus objects being set or used for navigation, this function is utilised in various api methods. An overlay class is also added which prevents navigation and announcement of content outside of the lockapp. This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging. This command should be safe as: - The command only logs objects it can navigate to - The log viewer cannot be accessed from the lockscreen Testing strategy: Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809 - Attempt to navigate outside the top level window of the lock screen using object navigation using STR - Ensure the lock screen can still be navigated with object navigation An advisory is required to be sent out for earlier NVDA versions.
seanbudd
added a commit
that referenced
this pull request
Feb 21, 2022
Link to issue number: None, follow up on #5269 Summary of the issue: On earlier Windows 10 builds, the top-level Window (Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269. On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation. STR: 1. Press Windows+L 1. press containing object (NVDA+numpad8/NVDA+shift+upArrow), 1. then you can use next object (NVDA+numpad6/NVDA+shift+rightArrow) to navigate the system. 1. On Windows 10 and 11, using "Navigate to the object under the mouse" (NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen. Microsoft is aware of this issue. Description of how this pull request fixes the issue: This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp. To prevent focus objects being set or used for navigation, this function is utilised in various api methods. An overlay class is also added which prevents navigation and announcement of content outside of the lockapp. This PR also adds `GlobalCommands.script_navigatorObject_devInfo` to the allowed commands on the lockscreen to aid with debugging. This command should be safe as: - The command only logs objects it can navigate to - The log viewer cannot be accessed from the lockscreen Testing strategy: Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809 - Attempt to navigate outside the top level window of the lock screen using object navigation using STR - Ensure the lock screen can still be navigated with object navigation An advisory is required to be sent out for earlier NVDA versions.
feerrenrut
pushed a commit
that referenced
this pull request
Sep 21, 2022
Addresses GHSA-585m-rpvv-93qg Summary of the issue: NVDA introduced the report dev info script as a safe script for the lock screen in 2021.3.2 via #13328. This was under the assumption that the log viewer never shows up on the lock screen. However, using certain steps, the log viewer can be interacted with on the lock screen. Further steps allow opening the NVDA python console, allowing arbitrary code execution. Description of user facing changes The devInfo script (open the log viewer and report navigator object information) is no longer available on the lock screen. Description of development approach Remove devInfo from safe scripts Review the security of other scripts in safe scripts. Added additional security protection to ScreenExplorer used by touch interaction, as well as setting the review position with api.setReviewPosition. Testing strategy: Test with a self-signed build the STR in GHSA-585m-rpvv-93qg
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Link to issue number:
None, follow up on #5269
Summary of the issue:
On earlier Windows 10 builds, the top-level Window (
Role.WINDOW) of the lock screen cannot directly navigate to the system with object navigation, but its parent can. This was fixed in a commit addressing #5269.On Windows 11 and newer Windows 10 builds, the top-level Window can directly navigate to the system with object navigation.
STR:
On Windows 10 and 11, using "Navigate to the object under the mouse" (
NVDA+numpadMultiply/NVDA+shift+n), you can navigate outside to the system from the lock screen.Microsoft is aware of this issue.
Description of how this pull request fixes the issue:
This PR adds a function which checks if the lockapp is the foreground window, and if so, if a given object is outside of the lockapp.
To prevent focus objects being set or used for navigation, this function is utilised in various
apimethods.An overlay class is also added which prevents navigation and announcement of content outside of the lockapp.
This PR also adds
GlobalCommands.script_navigatorObject_devInfoto the allowed commands on the lockscreen to aid with debugging.This command should be safe as:
Testing strategy:
Manual testing on Windows 11, Windows 10 21H2, Windows 10 1809
Known issues with pull request:
Performing 2 windows windll at every attempt to object navigate might add latency to object navigation.
This is mitigated by checking first if the lockapp appModule is running, however the lockapp process stays alive for sometime and cannot be used by itself.
An advisory is required to be sent out for earlier NVDA versions.
Change log entries:
Bug fixes
Code Review Checklist: