Merge pull request #13363 from nvaccess/securityPatchFix2021.3.2

Security fix cherry-picks for 2021.3.2
nvaccess · Feb 21, 2022 · 4443b3d · 4443b3d
2 parents 952d28b + 7e07a2f
commit 4443b3d
Show file tree

Hide file tree

Showing 8 changed files with 192 additions and 70 deletions.
diff --git a/source/api.py b/source/api.py
@@ -1,5 +1,5 @@
 # A part of NonVisual Desktop Access (NVDA)
-# Copyright (C) 2006-2020 NV Access Limited, James Teh, Michael Curran, Peter Vagner, Derek Riemer,
+# Copyright (C) 2006-2022 NV Access Limited, James Teh, Michael Curran, Peter Vagner, Derek Riemer,
 # Davy Kager, Babbage B.V., Leonard de Ruijter, Joseph Lee, Accessolutions, Julien Cochuyt
 # This file may be used under the terms of the GNU General Public License, version 2 or later.
 # For more details see: https://www.gnu.org/licenses/gpl-2.0.html
@@ -25,6 +25,38 @@
 from typing import Any, Optional
 
 
+def _isLockAppAndAlive(appModule: "appModuleHandler.AppModule"):
+	return appModule.appName == "lockapp" and appModule.isAlive
+
+
+def _isSecureObjectWhileLockScreenActivated(obj: NVDAObjects.NVDAObject) -> bool:
+	"""
+	While Windows is locked, Windows 10 and 11 allow for object navigation outside of the lockscreen.
+	@return: C{True} if the Windows 10/11 lockscreen is active and C{obj} is outside of the lockscreen.
+
+	According to MS docs, "There is no function you can call to determine whether the workstation is locked."
+	https://docs.microsoft.com/en-gb/windows/win32/api/winuser/nf-winuser-lockworkstation
+	"""
+	runningAppModules = appModuleHandler.runningTable.values()
+	lockAppModule = next(filter(_isLockAppAndAlive, runningAppModules), None)
+	if lockAppModule is None:
+		return False
+
+	# The LockApp process might be kept alive
+	# So determine if it is active, check the foreground window
+	foregroundHWND = winUser.getForegroundWindow()
+	foregroundProcessId, _threadId = winUser.getWindowThreadProcessID(foregroundHWND)
+
+	isLockAppForeground = foregroundProcessId == lockAppModule.processID
+	isObjectOutsideLockApp = obj.appModule.processID != foregroundProcessId
+
+	if isLockAppForeground and isObjectOutsideLockApp:
+		if log.isEnabledFor(log.DEBUG):
+			devInfo = '\n'.join(obj.devInfo)
+			log.debug(f"Attempt at navigating to a secure object: {devInfo}")
+		return True
+	return False
+
 #User functions
 
 def getFocusObject() -> NVDAObjects.NVDAObject:
@@ -34,41 +66,51 @@ def getFocusObject() -> NVDAObjects.NVDAObject:
 	"""
 	return globalVars.focusObject
 
-def getForegroundObject():
+
+def getForegroundObject() -> NVDAObjects.NVDAObject:
 	"""Gets the current foreground object.
 	This (cached) object is the (effective) top-level "window" (hwnd).
 	EG a Dialog rather than the focused control within the dialog.
 	The cache is updated as queued events are processed, as such there will be a delay between the winEvent
 	and this function matching. However, within NVDA this should be used in order to be in sync with other
 	functions such as "getFocusAncestors".
-@returns: the current foreground object
-@rtype: L{NVDAObjects.NVDAObject}
-"""
+	@returns: the current foreground object
+	"""
 	return globalVars.foregroundObject
 
-def setForegroundObject(obj):
+
+def setForegroundObject(obj: NVDAObjects.NVDAObject) -> bool:
 	"""Stores the given object as the current foreground object.
 	Note: does not cause the operating system to change the foreground window,
 		but simply allows NVDA to keep track of what the foreground window is.
 		Alternative names for this function may have been:
 		- setLastForegroundWindow
 		- setLastForegroundEventObject
-@param obj: the object that will be stored as the current foreground object
-@type obj: NVDAObjects.NVDAObject
-"""
+	@param obj: the object that will be stored as the current foreground object
+	"""
 	if not isinstance(obj,NVDAObjects.NVDAObject):
 		return False
+	if _isSecureObjectWhileLockScreenActivated(obj):
+		return False
 	globalVars.foregroundObject=obj
 	return True
 
-def setFocusObject(obj):
-	"""Stores an object as the current focus object. (Note: this does not physically change the window with focus in the operating system, but allows NVDA to keep track of the correct object).
-Before overriding the last object, this function calls event_loseFocus on the object to notify it that it is loosing focus. 
-@param obj: the object that will be stored as the focus object
-@type obj: NVDAObjects.NVDAObject
-"""
+
+# C901 'setFocusObject' is too complex
+# Note: when working on setFocusObject, look for opportunities to simplify
+# and move logic out into smaller helper functions.
+def setFocusObject(obj: NVDAObjects.NVDAObject) -> bool:  # noqa: C901
+	"""Stores an object as the current focus object.
+	Note: this does not physically change the window with focus in the operating system,
+	but allows NVDA to keep track of the correct object.
+	Before overriding the last object,
+	this function calls event_loseFocus on the object to notify it that it is losing focus.
+	@param obj: the object that will be stored as the focus object
+	"""
 	if not isinstance(obj,NVDAObjects.NVDAObject):
 		return False
+	if _isSecureObjectWhileLockScreenActivated(obj):
+		return False
 	if globalVars.focusObject:
 		eventHandler.executeEvent("loseFocus",globalVars.focusObject)
 	oldFocusLine=globalVars.focusAncestors
@@ -169,16 +211,24 @@ def getMouseObject():
 	"""Returns the object that is directly under the mouse"""
 	return globalVars.mouseObject
 
-def setMouseObject(obj):
+
+def setMouseObject(obj: NVDAObjects.NVDAObject) -> None:
 	"""Tells NVDA to remember the given object as the object that is directly under the mouse"""
+	if _isSecureObjectWhileLockScreenActivated(obj):
+		return
 	globalVars.mouseObject=obj
 
-def getDesktopObject():
+
+def getDesktopObject() -> NVDAObjects.NVDAObject:
 	"""Get the desktop object"""
 	return globalVars.desktopObject
 
-def setDesktopObject(obj):
-	"""Tells NVDA to remember the given object as the desktop object"""
+
+def setDesktopObject(obj: NVDAObjects.NVDAObject) -> None:
+	"""Tells NVDA to remember the given object as the desktop object.
+	We cannot prevent setting this when _isSecureObjectWhileLockScreenActivated is True,
+	as NVDA needs to set the desktopObject on start, and NVDA may start from the lockscreen.
+	"""
 	globalVars.desktopObject=obj
 
 def getReviewPosition():
@@ -222,36 +272,45 @@ def setReviewPosition(
 		visionContext = vision.constants.Context.REVIEW
 	vision.handler.handleReviewMove(context=visionContext)
 
-def getNavigatorObject():
-	"""Gets the current navigator object. Navigator objects can be used to navigate around the operating system (with the number pad) with out moving the focus. If the navigator object is not set, it fetches it from the review position. 
-@returns: the current navigator object
-@rtype: L{NVDAObjects.NVDAObject}
-"""
+
+def getNavigatorObject() -> NVDAObjects.NVDAObject:
+	"""Gets the current navigator object.
+	Navigator objects can be used to navigate around the operating system (with the numpad),
+	without moving the focus.
+	If the navigator object is not set, it fetches and sets it from the review position.
+	@returns: the current navigator object
+	"""
 	if globalVars.navigatorObject:
 		return globalVars.navigatorObject
+	elif review.getCurrentMode() == 'object':
+		obj = globalVars.reviewPosition.obj
 	else:
-		if review.getCurrentMode()=='object':
-			obj=globalVars.reviewPosition.obj
-		else:
-			try:
-				obj=globalVars.reviewPosition.NVDAObjectAtStart
-			except (NotImplementedError,LookupError):
-				obj=globalVars.reviewPosition.obj
-		globalVars.navigatorObject=getattr(obj,'rootNVDAObject',None) or obj
+		try:
+			obj = globalVars.reviewPosition.NVDAObjectAtStart
+		except (NotImplementedError, LookupError):
+			obj = globalVars.reviewPosition.obj
+	nextObj = getattr(obj, 'rootNVDAObject', None) or obj
+	if _isSecureObjectWhileLockScreenActivated(nextObj):
 		return globalVars.navigatorObject
+	globalVars.navigatorObject = nextObj
+	return globalVars.navigatorObject
+
+
+def setNavigatorObject(obj: NVDAObjects.NVDAObject, isFocus: bool = False) -> Optional[bool]:
+	"""Sets an object to be the current navigator object.
+	Navigator objects can be used to navigate around the operating system (with the numpad),
+	without moving the focus.
+	It also sets the current review position to None so that next time the review position is asked for,
+	it is created from the navigator object.
+	@param obj: the object that will be set as the current navigator object
+	@param isFocus: true if the navigator object was set due to a focus change.
+	"""
 
-def setNavigatorObject(obj,isFocus=False):
-	"""Sets an object to be the current navigator object. Navigator objects can be used to navigate around the operating system (with the number pad) with out moving the focus. It also sets the current review position to None so that next time the review position is asked for, it is created from the navigator object.  
-@param obj: the object that will be set as the current navigator object
-@type obj: NVDAObjects.NVDAObject  
-@param isFocus: true if the navigator object was set due to a focus change.
-@type isFocus: bool
-"""
-	if not isinstance(obj,NVDAObjects.NVDAObject):
+	if not isinstance(obj, NVDAObjects.NVDAObject):
+		return False
+	if _isSecureObjectWhileLockScreenActivated(obj):
 		return False
 	globalVars.navigatorObject=obj
-	oldPos=globalVars.reviewPosition
-	oldPosObj=globalVars.reviewPositionObj
 	globalVars.reviewPosition=None
 	globalVars.reviewPositionObj=None
 	reviewMode=review.getCurrentMode()

diff --git a/source/appModuleHandler.py b/source/appModuleHandler.py
@@ -1,31 +1,33 @@
 # -*- coding: UTF-8 -*-
 # A part of NonVisual Desktop Access (NVDA)
-# Copyright (C) 2006-2019 NV Access Limited, Peter Vágner, Aleksey Sadovoy, Patrick Zajda, Joseph Lee,
-# Babbage B.V., Mozilla Corporation
+# Copyright (C) 2006-2022 NV Access Limited, Peter Vágner, Aleksey Sadovoy, Patrick Zajda, Joseph Lee,
+# Babbage B.V., Mozilla Corporation, Julien Cochuyt
 # This file is covered by the GNU General Public License.
 # See the file COPYING for more details.
 
 """Manages appModules.
 @var runningTable: a dictionary of the currently running appModules, using their application's main window handle as a key.
-@type runningTable: dict
 """
 
 import itertools
 import ctypes
 import ctypes.wintypes
 import os
 import sys
+from typing import (
+	Dict,
+	Optional,
+)
+
 import winVersion
 import pkgutil
 import importlib
 import threading
 import tempfile
 import comtypes.client
 import baseObject
-import globalVars
 from logHandler import log
 import NVDAHelper
-import winUser
 import winKernel
 import config
 import NVDAObjects #Catches errors before loading default appModule
@@ -35,8 +37,8 @@
 import extensionPoints
 from fileUtils import getFileVersionInfo
 
-#Dictionary of processID:appModule paires used to hold the currently running modules
-runningTable={}
+# Dictionary of processID:appModule pairs used to hold the currently running modules
+runningTable: Dict[int, "AppModule"] = {}
 #: The process ID of NVDA itself.
 NVDAProcessID=None
 _importers=None
@@ -103,12 +105,11 @@ def getAppModuleForNVDAObject(obj):
 		return
 	return getAppModuleFromProcessID(obj.processID)
 
-def getAppModuleFromProcessID(processID):
+
+def getAppModuleFromProcessID(processID: int) -> "AppModule":
 	"""Finds the appModule that is for the given process ID. The module is also cached for later retreavals.
 	@param processID: The ID of the process for which you wish to find the appModule.
-	@type processID: int
-	@returns: the appModule, or None if there isn't one
-	@rtype: appModule 
+	@returns: the appModule
 	"""
 	with _getAppModuleLock:
 		mod=runningTable.get(processID)
@@ -334,18 +335,22 @@ class AppModule(baseObject.ScriptableObject):
 	#: @type: bool
 	sleepMode=False
 
+	processID: int
+	"""The ID of the process this appModule is for"""
+
+	appName: str
+	"""The application name"""
+
 	def __init__(self,processID,appName=None):
 		super(AppModule,self).__init__()
-		#: The ID of the process this appModule is for.
-		#: @type: int
 		self.processID=processID
 		if appName is None:
 			appName=getAppNameFromProcessID(processID)
-		#: The application name.
-		#: @type: str
 		self.appName=appName
 		self.processHandle=winKernel.openProcess(winKernel.SYNCHRONIZE|winKernel.PROCESS_QUERY_INFORMATION,False,processID)
-		self.helperLocalBindingHandle=None
+		self.helperLocalBindingHandle: Optional[ctypes.c_long] = None
+		"""RPC binding handle pointing to the RPC server for this process"""
+
 		self._inprocRegistrationHandle=None
 
 	def _getExecutableFileInfo(self):
@@ -423,6 +428,8 @@ def __repr__(self):
 	def _get_appModuleName(self):
 		return self.__class__.__module__.split('.')[-1]
 
+	isAlive: bool
+
 	def _get_isAlive(self):
 		return bool(winKernel.waitForSingleObject(self.processHandle,0))