Re: requesting review of the SPRITEs Table Navigation for Chrome addon


 

Hi,
Uh oh, that's a potential security issue. Please address this as soon as possible.
Cheers,
Joseph

-----Original Message-----
From: nvda-addons@nvda-addons.groups.io <nvda-addons@nvda-addons.groups.io> On Behalf Of James Scholes
Sent: Thursday, June 10, 2021 4:54 PM
To: nvda-addons@nvda-addons.groups.io
Subject: Re: [nvda-addons] requesting review of the SPRITEs Table Navigation for Chrome addon

From line 29 of installTasks.py:

path = os.path.join(os.environ['APPDATA'], 'nvda\\sprites')
Please don't do this, because it is a fundamentally broken approach. Ask the running copy of NVDA for the user's config path, and then store logs there. If a user is running a portable copy of NVDA, one of two things will happen with your current code:

1. The add-on will write logs to appdata, even though no data from a portable copy should ever persist on the system. Or...
2, Worse, the user will run a portable copy on a completely different computer that has a different username, and the add-on will fail to log (or create directories for a non-existent user).

Note: the same applies to line 30 of __init__.py in your Chrome app module.

Until this is fixed, this add-on should not be given a green light, and it is slightly disappointing that this hasn't been highlighted until now.

Regards,

James Scholes

On 10/06/2021 at 5:32 pm, Venkatesh Potluri wrote:
Thank you Joseph.

Best, Venkatesh

Join nvda-addons@nvda-addons.groups.io to automatically receive all group messages.