Re: [g-a-devel]role type - "password-text"
- From: "Padraig O'Briain" <Padraig Obriain Sun COM>
- To: gnome-accessibility-devel gnome org
- Cc: anju premachandran wipro com, mukund rajagopalan wipro com
- Subject: Re: [g-a-devel]role type - "password-text"
- Date: Mon, 29 Jul 2002 11:21:45 +0100 (BST)
I have just logged bug 89323 for this.
Padraig
> On Mon, 2002-07-29 at 10:17, Padraig O'Briain wrote:
> > Anju,
> >
> > The role password-text is currently set in gail/gailentry.c for a text entry
> > field for which entry->visible is FALSE.
> >
> > The function atk_text_get_text() reports the text actually typed in not what
is
> > displayed.
>
> I do believe this is a security bug, my understanding has always been
> that a text field should report what is displayed in this case and not
> what was typed in.
>
> Certainly if we expose the password text here it creates very
> significant security issues for at-spi and accessibility solutions.
>
> -Bill
>
> > I am not sure what the ATs do with this information.
> >
> > Do you think that this is security bug and that the text for a GtkEntry for
> > which visible is FALSE should not report the text actually typed in?
> >
> > If you do, I would like to get confirmation from Peter Korn and Marc Mulcahy
> > that they agree with you.
> >
> > Padraig
> >
> >
> > > Hello all,
> > >
> > > I could see a role type called "password-text" in
> > > atk/atk/atk-enum-types.c.
> > > I guess this is used for text widgets that take passwords.
> > >
> > > Is this currently used anywhere?
> > > How does AT handle this ?
> > >
> > > Please give in your valuable suggestions and opinions
> > >
> > > Regards
> > > Anju
> > >
> > > -------- Original Message --------
> > > Subject: RE: hi
> > > Date: Wed, 24 Jul 2002 13:15:29 +0530
> > > From: "Mukund" <mukund rajagopalan wipro com>
> > > To: "Anju" <anju premachandran wipro com>
> > >
> > > Anju,
> > >
> > > >
> > > > There is a role type called "password-text" in
> > > > atk/atk/atk-enum-types.c.Where is this exactly used?Can it cause any
> > > > security loopholes?
> > > >
> > > (1) This would be something to *plug* any security hole. AT-s will have
> > > to look at this role and act accordingly. AT-s normally 'read-out' the
> > > text typed for blind users. The fact that you got a distinct role for
> > > passwords (instead of sharing the role of normal text) means that the
> > > AT-s will read "StarStarStarStar" when "ABCD" is typed.
> > > (2) The above, if right, means that you got to audit, not only the
> > > applications that has password-feature in them, but also the AT-s.
> > > That's because it's not sufficient that the apps set the AtkRole but the
> > > AT-s respect the roles that are set.
> > >
> > > (Disclaimer: All thoughts of mine are a guess and Bill will have to
> > > confirm but this is a good guess :-)
> > >
> > > Cheers,
> > > Mukund.
> > > _______________________________________________
> > > Gnome-accessibility-devel mailing list
> > > Gnome-accessibility-devel gnome org
> > > http://mail.gnome.org/mailman/listinfo/gnome-accessibility-devel
> >
> > _______________________________________________
> > Gnome-accessibility-devel mailing list
> > Gnome-accessibility-devel gnome org
> > http://mail.gnome.org/mailman/listinfo/gnome-accessibility-devel
>
>
> _______________________________________________
> Gnome-accessibility-devel mailing list
> Gnome-accessibility-devel gnome org
> http://mail.gnome.org/mailman/listinfo/gnome-accessibility-devel
[
Date Prev][
Date Next] [
Thread Prev][Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]
