Re: [g-a-devel]role type - "password-text"

From: Bill Haneman <bill haneman sun com>
To: "Padraig O'Briain" <Padraig Obriain sun com>
Cc: gnome-accessibility-devel gnome org, anju premachandran wipro com, mukund rajagopalan wipro com, peter korn sun com, marc mulcahy sun com
Subject: Re: [g-a-devel]role type - "password-text"
Date: 29 Jul 2002 11:56:36 +0100

On Mon, 2002-07-29 at 10:17, Padraig O'Briain wrote:
> Anju,
> 
> The role password-text is currently set in gail/gailentry.c for a text entry 
> field for which entry->visible is FALSE.
> 
> The function atk_text_get_text() reports the text actually typed in not what is 
> displayed.

I do believe this is a security bug, my understanding has always been
that a text field should report what is displayed in this case and not
what was typed in.

Certainly if we expose the password text here it creates very
significant security issues for at-spi and accessibility solutions.

-Bill

> I am not sure what the ATs do with this information.
> 
> Do you think that this is security bug and that the text for a GtkEntry for 
> which visible is FALSE should not report the text actually typed in?
> 
> If you do, I would like to get confirmation from Peter Korn and Marc Mulcahy 
> that they agree with you.
> 
> Padraig
> 
> 
> > Hello all,
> > 
> > I could see a role type called "password-text" in
> > atk/atk/atk-enum-types.c.
> > I guess this is used for text widgets that take passwords.
> > 
> > Is this currently used anywhere?
> > How does AT handle this ?
> > 
> > Please give in your valuable suggestions and opinions
> > 
> > Regards
> > Anju
> > 
> > -------- Original Message --------
> > Subject: RE: hi
> > Date: Wed, 24 Jul 2002 13:15:29 +0530
> > From: "Mukund" <mukund rajagopalan wipro com>
> > To: "Anju" <anju premachandran wipro com>
> > 
> > Anju,
> > 
> > >
> > > There is a role type called "password-text" in
> > > atk/atk/atk-enum-types.c.Where is this exactly used?Can it cause any
> > > security loopholes?
> > >
> > 	(1) This would be something to *plug* any security hole. AT-s will have
> > to look at this role and act accordingly. AT-s normally 'read-out' the
> > text typed for blind users. The fact that you got a distinct role for
> > passwords (instead of sharing the role of normal text) means that the
> > AT-s will read "StarStarStarStar" when "ABCD" is typed.
> > 	(2) The above, if right, means that you got to audit, not only the
> > applications that has password-feature in them, but also the AT-s.
> > That's because it's not sufficient that the apps set the AtkRole but the
> > AT-s respect the roles that are set.
> > 
> > 	(Disclaimer: All thoughts of mine are a guess and Bill will have to
> > confirm but this is a good guess :-)
> > 
> > Cheers,
> > Mukund.
> > _______________________________________________
> > Gnome-accessibility-devel mailing list
> > Gnome-accessibility-devel gnome org
> > http://mail.gnome.org/mailman/listinfo/gnome-accessibility-devel
> 
> _______________________________________________
> Gnome-accessibility-devel mailing list
> Gnome-accessibility-devel gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-accessibility-devel

Follow-Ups:
- Re: [g-a-devel]role type - "password-text"
  - From: Michael Meeks

References:
- Re: [g-a-devel]role type - "password-text"
  - From: Padraig O'Briain

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]