keyboard focus bug?

[ix4...@gmail.com]

There seems to be a dangerous bug, whereby even though the mouse focus of the window manager is very clearly on one window (e.g. I've clicked elements in that window that have become highlighted), my keyboard focus is on another window! So one has the surreal experience of typing away on the foreground & highlighted/active window and seeing the input be received by one of the background windows (thankfully of the same AppVM).

This always involves the use of KeePassX, which traps [CTR-V] as "Perform auto-type". My typical workflow:

1. start "passwords" AppVM

2. highlight, copy, SHFT-CTRL-C my "personal" master pw

3. start "personal" AppVM by firing up Firefox & KeePassX

4. click on the KeePassX window, hit SHFT-CTRL-V & CTRL-V. The master pw is correctly copied into the dialog box and my personal AppVM pw db is unlocked.

5. ALT-TAB or click on the FF window to ensure the focus is on the right field (the "username" field of the form I want to autocomplete").

6. ALT-TAB or click on the KeePassX window, highlight the credentials entry I want to use, hit CTRL-V

7. Watch in horror as my master pw which was copied earlier from the non-networked password AppVM is pasted into Firefox!

8. At that point, with the KeePassX window in the foreground, clicking entries in it with the mouse, anything I type is received by the non-active Firefox window, not just CTRL-V.

This is very tricky as it can lead to information disclosure to unintended applications.

Thoughts?

Alex

[Abel Luck]

ix4...@gmail.com:

> There seems to be a dangerous bug, whereby even though the mouse focus of
> the window manager is very clearly on one window (e.g. I've clicked
> elements in that window that have become highlighted), my keyboard focus is
> on another window!

I've been experiencing this bug a lot recently as well.

I'm using KDE, and one workaround is to switch to a different virtual
desktop and back again.

But is is incredibly annoying and dangerous.

Are you using KDE or XFCE?

~abel

[ix4...@gmail.com]

KDE here.

Alex

[Joanna Rutkowska]

IIUC the problem only affects switching focus between the two windows
belonging to *the same* AppVM, correct?

joanna.

[ix4...@gmail.com]

Correct.

Alex

[Joanna Rutkowska]

Ok, perhaps there is a bug there, which is a result of us not being able
to precisely reflect the order of windows within one domain. However, I
don't think I agree this could be classified as "dangerous", or even
security-related. We've been explaining this many time -- there is no
security isolation between apps running within one domain. This is a
result of many factors, one of them being that the X server (and each
AppVM has its own dummy X server) does not provide any isolation between
apps -- see this article for more info:

http://theinvisiblethings.blogspot.com/2011/04/linux-security-circus-on-gui-isolation.html

Ok, perhaps, you might say, apps isolation is one thing, but accidental
pasting of information into Web forms is a bit more annoying. But
because we should be assuming Web to be inherently malicious, so should
be the Firefox, right (after all this is the reason we have Qubes)?

Anyway, have you tried to use the KDE's "Desktop Grid" and/or "Present
Windows" effects for Windows switching? I use them all the time.

joanna.

[Zrubecz Laszlo]

On 13 June 2013 09:15, Joanna Rutkowska <joa...@invisiblethingslab.com> wrote:

> Ok, perhaps there is a bug there, which is a result of us not being able
> to precisely reflect the order of windows within one domain.

I can confirm this bug is exist. I'm also experiencig this happens
time to time...

> However, I
> don't think I agree this could be classified as "dangerous", or even
> security-related.

Sure it is not. But really annoying.



--
Zrubi

[ix4...@gmail.com]

Calling not knowing which application will receive your input just "annoying" is an understatement in my book. Anyway, the important thing is that the bug is known and can therefore be fixed.

Alex

[ix4...@gmail.com]

For people experiencing this bug: Do you use an external monitor for your Qubes laptop? Do you get this bug when your active window is on your primary display? I think I'm seeing a pattern with my system's behaviour, related to primary vs extended display.

Alex

[Joanna Rutkowska]

I don't think it's on our priority list anytime soon (because it's not
security related, doesn't happen often -- e.g. I don't see it, and also
because one could work around it using Expose-like effects if really
concerned). But we would be happy to accept patches anytime!

joanna.

[Zrubecz Laszlo]

On 14 June 2013 12:51, Joanna Rutkowska <joa...@invisiblethingslab.com> wrote:

> I don't think it's on our priority list anytime soon (because it's not
> security related, doesn't happen often -- e.g. I don't see it,

The priority is another question...

But if you don't see it others may do... ;)

I'm constantly seeing this usually when I'm switching between virtual desktops.
And the focus is usually 'locked' by the last window I used. The
resolution is that I have to go back to previous window click inside,
and change window again to get proper focus to the 'new' window.

> because one could work around it using Expose-like effects if really
> concerned).

What is this exactly?

Currently I'm using the standard (default) KDE desktop effects.



--
Zrubi

[Joanna Rutkowska]

As note in the previous message:

> Anyway, have you tried to use the KDE's "Desktop Grid" and/or "Present
> Windows" effects for Windows switching? I use them all the time.

j.

[Zrubecz Laszlo]

On 15 June 2013 10:23, Joanna Rutkowska <joa...@invisiblethingslab.com> wrote:

> As note in the previous message:
>> Anyway, have you tried to use the KDE's "Desktop Grid" and/or "Present
>> Windows" effects for Windows switching? I use them all the time.

Oh yeah... I know these :)

Those are pretty fancy features - for a mouse only environment.... if
someone using mainly keyboard then window/desktop switching is always
on a hot key.

I wold be go crazy if I have to poke with the mouse/touchpad with
every window switching.



--
Zrubi

[Joanna Rutkowska]

Ah, those hardcore *nix people ;)

j.