Hiding keyboard state

Adam Jackson ajax at nwnk.net
Mon Nov 30 08:01:34 PST 2015


On Mon, 2015-11-23 at 11:04 -0800, Keith Packard wrote:
> One of the many security holes in X is that any application can monitor
> the state of the keyboard device by querying the list of pressed keys on
> a regular basis. Here's a simple patch which makes that request report
> only key state which the client itself has already seen through X
> events.
> 
> With this patch in place, grabbing the keyboard should be sufficient to
> hide key presses from other clients.
> 
> I think we need to try to fix some of these issues, even if the fixes
> break existing applications.

Better unbefuckinglievably late than never.  This gets xterm's Secure
Keyboard mode to be secure against xspy, which is nice.  If we're going
to go down this path, we should also update the protocol spec to say
it's a legal move for the implementation.

> +    /* Track keyboard state per client */
> +    switch (type) {
> +    case KeyPress:
> +        SetBit(client->down, pEvents->u.u.detail);
> +        break;
> +    case KeyRelease:
> +        ClearBit(client->down, pEvents->u.u.detail);
> +        break;
> +    case KeymapNotify:
> +        memcpy(client->down+1, ((xKeymapEvent *) pEvents)->map, 31);
> +        break;
> +    }
> +

I assume the offset here is because of the dumb "keys 0-7 don't really
exist" bug, right?  If so,

Reviewed-by: Adam Jackson <ajax at redhat.com>

- ajax


More information about the xorg-devel mailing list