Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Address security implications of custom plugins and drivers being used on secure desktops #1426

Closed
nvaccessAuto opened this Issue Mar 22, 2011 · 2 comments

Comments

Projects
None yet
1 participant
@nvaccessAuto
Copy link

nvaccessAuto commented Mar 22, 2011

Reported by jteh on 2011-03-22 23:12
When the "Use currently saved settings on the logon and other secure screens" button is pressed, NVDA copies the entire user configuration to the system config, including plugins and drivers. This has security implications for users who might not think about what untrusted plugins or drivers they have in their configuration. There are a few possible solutions:

  1. Add a warning to the User Guide, and/or present a message to the user when they hit the button warning them of these implications and to check their config. Simple, but potentially annoying for users that just want to do a simple setting change.
  2. Only copy the settings (nvda.ini) and speech dicts.
    • Some users probably do want to use custom drivers on secure screens. However, I guess they can copy them in manually if they really want to do this.
    • What if the settings specify a custom synth/braille display driver? We'll fall back to the default anyway, but this is still fairly ugly.
  3. Provide options for what parts of the config to copy.
    • Fairly complicated and probably not user friendly.

Marking as minor because this does require admin privs, so it's fair to expect the user to be a little careful.

@nvaccessAuto

This comment has been minimized.

Copy link
Author

nvaccessAuto commented May 23, 2011

Comment 1 by jteh on 2011-05-23 15:50
Solution: display a warning dialog when the button is pressed only if there are user provided drivers or plugins.

@nvaccessAuto

This comment has been minimized.

Copy link
Author

nvaccessAuto commented May 28, 2011

Comment 2 by mdcurran on 2011-05-28 01:47
Fixed in 7bac8e6. When the user presses the button to copy user settings to the system profile, they are now asked if they still wish to do this, if custom plugins are detected.
Changes:
State: closed

@nvaccessAuto nvaccessAuto added this to the 2011.2 milestone Nov 10, 2015

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.