Merge pull request from GHSA-h7pp-6jqw-g3pj

Prevent unauthorised system access through pasting in secure mode
nvaccess · Jan 14, 2024 · d5e2b6b · d5e2b6b
2 parents 47a4b41 + 0324475
commit d5e2b6b
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 3 deletions.
diff --git a/source/appModules/nvda.py b/source/appModules/nvda.py
@@ -1,5 +1,5 @@
 # A part of NonVisual Desktop Access (NVDA)
-# Copyright (C) 2008-2021 NV Access Limited, James Teh, Michael Curran, Leonard de Ruijter, Reef Turner,
+# Copyright (C) 2008-2024 NV Access Limited, James Teh, Michael Curran, Leonard de Ruijter, Reef Turner,
 # Julien Cochuyt
 # This file may be used under the terms of the GNU General Public License, version 2 or later.
 # For more details see: https://www.gnu.org/licenses/gpl-2.0.html
@@ -17,7 +17,6 @@
 from scriptHandler import script
 import speech
 import textInfos
-import braille
 import config
 from logHandler import log
 
@@ -27,6 +26,7 @@
 
 nvdaMenuIaIdentity = None
 
+
 class NvdaDialog(IAccessible):
 	"""Fix to ensure NVDA message dialogs get reported when they pop up.
 	"""
@@ -253,3 +253,16 @@ def chooseNVDAObjectOverlayClasses(self, obj, clsList):
 		elif self.isNvdaPythonConsoleUIOutputCtrl(obj):
 			clsList.insert(0, NvdaPythonConsoleUIOutputClear)
 			clsList.insert(0, NvdaPythonConsoleUIOutputCtrl)
+
+	@gui.blockAction.when(
+		gui.blockAction.Context.SECURE_MODE,
+		gui.blockAction.Context.WINDOWS_LOCKED,
+	)
+	@script(gesture="kb:control+v")
+	def script_paste(self, gesture: "inputCore.InputGesture") -> None:
+		# This function has no description and does not appear in input gestures
+		# as it should not be modified by the user.
+		# This function processes the paste gesture when performed in NVDA windows for security reasons.
+		# When in secure mode, or while Windows is locked, the default paste behaviour is blocked.
+		# Refer to this NVDA security advisory for details: https://github.com/nvaccess/nvda/security/advisories/GHSA-h7pp-6jqw-g3pj
+		gesture.send()
diff --git a/source/buildVersion.py b/source/buildVersion.py
@@ -67,7 +67,7 @@ def formatVersionForGUI(year, major, minor):
 name = "NVDA"
 version_year = 2023
 version_major = 3
-version_minor = 0
+version_minor = 1
 version_build = 0  # Should not be set manually. Set in 'sconscript' provided by 'appVeyor.yml'
 version=_formatDevVersionString()
 publisher="unknown"

diff --git a/user_docs/en/changes.t2t b/user_docs/en/changes.t2t
@@ -4,6 +4,15 @@ What's New in NVDA
 %!includeconf: ../changes.t2tconf
 %!includeconf: ./locale.t2tconf
 
+= 2023.3.1 =
+This is a patch release to fix a security issue.
+Please responsibly disclose security issues following NVDA's [security policy https://github.com/nvaccess/nvda/blob/master/security.md].
+
+== Security Fixes ==
+- Prevents possible system access and arbitrary code execution with system privileges for unauthenticated users.
+([GHSA-h7pp-6jqw-g3pj https://github.com/nvaccess/nvda/security/advisories/GHSA-h7pp-6jqw-g3pj])
+-
+
 = 2023.3 =
 This release includes improvements to performance, responsiveness and stability of audio output.
 Options have been added to control the volume of NVDA sounds and beeps, or to have them follow the volume of the voice you are using.