-
-
Notifications
You must be signed in to change notification settings - Fork 633
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disallow opening the browse for addons dialog on secure screens to avoid a security exploit. #13059
Disallow opening the browse for addons dialog on secure screens to avoid a security exploit. #13059
Conversation
…at the log on screen via addon manager.
source/gui/addonGui.py
Outdated
@@ -248,8 +248,9 @@ def __init__(self, parent): | |||
self.getAddonsButton = generalActions.addButton(self, label=_("&Get add-ons...")) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This button should also be disabled when in secure mode since it opens a web browser from which you can easily do a lot of insecure stuff.
See test results for failed build of commit eaf52ee0e5 |
OK, getAddons is also now disabled, and translation should work again. Not sure why system tests broke though. |
Why not just disable the entire add-ons manager from a secure screen, as far as I know you can't do anything useful in it since NVDA's configuration doesn't save in secure screens. |
I did that in the initial PR, but people said they'd prefer this approach. |
Since the add-on manager is not reachable via NVDA menu in secure screen, I would also recommend not to be able to open it via a shortcut at all. |
That was what my initial PR did, but no one seemed to like it. I'm cool with either way, just want to patch the security problem. |
Hi, We can at least remove the add-on from it, I actually did this often in the past, |
In addition to the install button, the button to get addon is also meaningless. |
Yes there are two options here:
|
I think the most appropriate direction here is to disable the add-ons
manager from being opened at all on secure screens.
|
@michaelDCurran Done. |
How is someone supposed to know what add-ons are active in the secure copy? Not everyone is able to browse to |
This PR is aimed to fix a security issue. So I think it should be addressed as soon as possible and not be delayed by "almost new feature" requests. The best way to address the security issue is to disable the possibility to open the add-on manager dialog in secure screen; it seems it was the original intention of NVDA developers when they implemented the menu item removal. In a subsequent way we may open a new issue and then PR to discuss various possibilities regarding add-on in secure screen among which:
|
I agree. For now, the manager is just disabled. We can discuss possible implimentations in a different issue/pr. |
@michaelDCurran This PR seems ready to be merged. Are you planning to look into it? Frankly if I were a new contributor and my one line security bug fix would not be looked at in almost three months this would be my first and last contribution. I really believe external contributions from newcomers should be given more attention! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@michaelDCurran - can I merge this?
Wow, this is still open? I honestly forgot this pR even existed in the first place, it's a single line change and I don't get what's so hard about merging that. |
@seanbudd if you're happy with the change / testing, please go ahead with the merge. @TheQuinbox Sorry this fell through the cracks, we'll review our processes to try to ensure this doesn't happen in the future. |
…oid a security exploit. (#13059) Summary of the issue: It was possible for a user to bind a gesture to open the addons manager, copy their config to secure screens, press it, press the install button, and get a browse dialog, allowing them to run CMD as systemroot, and do all sorts of things. Description of how this pull request fixes the issue: Only show the addon manager if we're not on a secure screen.
…oid a security exploit. (#13059) Summary of the issue: It was possible for a user to bind a gesture to open the addons manager, copy their config to secure screens, press it, press the install button, and get a browse dialog, allowing them to run CMD as systemroot, and do all sorts of things. Description of how this pull request fixes the issue: Only show the addon manager if we're not on a secure screen.
Link to issue number:
Extension of #13056, but I slightly broke it, so redoing here.
Summary of the issue:
It was possible for a user to bind a gesture to open the addons manager, copy their config to secure screens, press it, press the install button, and get a browse dialog, allowing them to run CMD as systemroot, and do all sorts of things.
Description of how this pull request fixes the issue:
Only show the addon manager if we're not on a secure screen.
Testing strategy:
Known issues with pull request:
None
Change log entries:
Code Review Checklist: