Merge pull request from GHSA-3jj9-295f-h69w

Prevent browsable message access on secure screens
nvaccess · Nov 8, 2022 · 9823556 · 9823556
2 parents a8e910e + 1530433
commit 9823556
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 5 deletions.
diff --git a/source/ui.py b/source/ui.py
@@ -23,6 +23,7 @@
 import globalVars
 from typing import Optional
 
+from systemUtils import _isSecureDesktop
 
 # From urlmon.h
 URL_MK_UNIFORM = 1
@@ -38,16 +39,59 @@
 HTMLDLG_VERIFY = 0x0100 
 
 
-def browseableMessage(message,title=None,isHtml=False):
+def _warnBrowsableMessageNotAvailableOnSecureScreens(title: Optional[str]) -> None:
+	"""Warn the user that a browsable message could not be shown on a secure screen (sign-on screen / UAC
+	prompt).
+	@param title: If provided, the title of the browsable message to give the user more context.
+	"""
+	log.warning(
+		"While on secure screens browsable messages can not be used."
+		" The browsable message window creates a security risk."
+		f" Attempted to open message with title: {title!r}"
+	)
+
+	if not title:
+		browsableMessageUnavailableMsg: str = _(
+			# Translators: This is the message for a warning shown if NVDA cannot open a browsable message window
+			# when Windows is on a secure screen (sign-on screen / UAC prompt).
+			"This feature is unavailable while on secure screens such as the sign-on screen or UAC prompt."
+		)
+	else:
+		browsableMessageUnavailableMsg: str = _(
+			# Translators: This is the message for a warning shown if NVDA cannot open a browsable message window
+			# when Windows is on a secure screen (sign-on screen / UAC prompt). This prompt includes the title
+			# of the Window that could not be opened for context.
+			# The {title} will be replaced with the title.
+			# The title may be something like "Formatting".
+			"This feature ({title}) is unavailable while on secure screens"
+			" such as the sign-on screen or UAC prompt."
+		)
+		browsableMessageUnavailableMsg = browsableMessageUnavailableMsg.format(title=title)
+
+	import wx  # Late import to prevent circular dependency.
+	import gui  # Late import to prevent circular dependency.
+	log.debug("Presenting browsable message unavailable warning.")
+	gui.messageBox(
+		browsableMessageUnavailableMsg,
+		# Translators: This is the title for a warning dialog, shown if NVDA cannot open a browsable message
+		# dialog.
+		caption=_("Feature unavailable."),
+		style=wx.ICON_ERROR | wx.OK,
+	)
+
+
+def browseableMessage(message: str, title: Optional[str] = None, isHtml: bool = False) -> None:
 	"""Present a message to the user that can be read in browse mode.
 	The message will be presented in an HTML document.
 	@param message: The message in either html or text.
-	@type message: str
 	@param title: The title for the message.
-	@type title: str
 	@param isHtml: Whether the message is html
-	@type isHtml: boolean
 	"""
+	if _isSecureDesktop():
+		import wx  # Late import to prevent circular dependency.
+		wx.CallAfter(_warnBrowsableMessageNotAvailableOnSecureScreens, title)
+		return
+
 	htmlFileName = os.path.join(globalVars.appDir, 'message.html')
 	if not os.path.isfile(htmlFileName ): 
 		raise LookupError(htmlFileName )

diff --git a/user_docs/en/changes.t2t b/user_docs/en/changes.t2t
@@ -7,7 +7,9 @@ What's New in NVDA
 This is a minor release to fix regressions with 2022.3.1 and address a security issue.
 
 == Security Fixes ==
-
+- Prevents possible system level access for unauthenticated users.
+([GHSA-3jj9-295f-h69w https://github.com/nvaccess/nvda/security/advisories/GHSA-3jj9-295f-h69w])
+-
 
 == Bug Fixes ==
 - Fixes a regression from 2022.3.1 where certain functionality was disabled on secure screens. (#14286)