beta to master (#20141)

Author: seanbudd

source/NVDAObjects/IAccessible/ia2Web.py

@@ -104,10 +104,6 @@ def _rolesGenerator(self) -> Generator[Optional[controlTypes.Role], None, None]:
 
 class Ia2Web(IAccessible):
 	IAccessibleTableUsesTableCellIndexAttrib = True
-	# The IAccessibleText implementation in web browsers exposes embedded object
-	# characters which need to be traversed to read the content. That isn't useful
-	# to users.
-	_shouldUseTextInfoForReading = False
 
 	def isDescendantOf(self, obj: "NVDAObjects.NVDAObject") -> bool:
 		if obj.windowHandle != self.windowHandle:
@@ -288,9 +284,6 @@ class Figure(Ia2Web):
 
 class Editor(Ia2Web, DocumentWithTableNavigation):
 	TextInfo = MozillaCompoundTextInfo
-	# MozillaCompoundTextInfo traverses embedded objects and is suitable for
-	# presentation to users.
-	_shouldUseTextInfoForReading = True
 
 	def _getTableCellAt(self, tableID, startPos, destRow, destCol):
 		# Locate the table in the object ancestry of the given document position.

source/NVDAObjects/__init__.py

@@ -1605,12 +1605,6 @@ def _get__hasNavigableText(self):
 		else:
 			return False
 
-	#: Whether the TextInfo should be used for the review cursor, the read current
-	#: line command, etc. This should be False where the TextInfo is only used
-	#: internally and doesn't provide text that is suitable for presentation to the
-	#: user; e.g. it includes raw embedded object characters.
-	_shouldUseTextInfoForReading: bool = True
-
 	def _get_hasIrrelevantLocation(self):
 		"""Returns whether the location of this object is irrelevant for mouse or magnification tracking or highlighting,
 		either because it is programatically hidden (State.INVISIBLE), off screen or the object has no location."""

source/_magnifier/commands.py

@@ -34,46 +34,50 @@
 )
 from logHandler import log
 
-PAN_ACTION_TO_EDGE_NAME = {
+PAN_ACTION_TO_EDGE_MESSAGES = {
 	MagnifierAction.PAN_LEFT: pgettext(
 		"magnifier",
-		# Translators: Short name for the left edge, used in messages.
-		"left",
+		# Translators: Message announced when already at left edge of the screen while panning the magnified view
+		"left edge",
 	),
 	MagnifierAction.PAN_RIGHT: pgettext(
 		"magnifier",
-		# Translators: Short name for the right edge, used in messages.
-		"right",
+		# Translators: Message announced when already at right edge of the screen while panning the magnified view
+		"right edge",
 	),
 	MagnifierAction.PAN_UP: pgettext(
 		"magnifier",
-		# Translators: Short name for the top edge, used in messages.
-		"top",
+		# Translators: Message announced when already at top edge of the screen while panning the magnified view
+		"top edge",
 	),
 	MagnifierAction.PAN_DOWN: pgettext(
 		"magnifier",
-		# Translators: Short name for the bottom edge, used in messages.
-		"bottom",
+		# Translators: Message announced when already at bottom edge of the screen while panning the magnified view
+		"bottom edge",
 	),
 	MagnifierAction.PAN_LEFT_EDGE: pgettext(
 		"magnifier",
-		# Translators: Short name for the left edge, used in messages.
-		"left",
+		# Translators: Message announced when already at left edge of the screen while panning the magnified view
+		# to left edge
+		"left edge",
 	),
 	MagnifierAction.PAN_RIGHT_EDGE: pgettext(
 		"magnifier",
-		# Translators: Short name for the right edge, used in messages.
-		"right",
+		# Translators: Message announced when already at right edge of the screen while panning the magnified view
+		# to right edge
+		"right edge",
 	),
 	MagnifierAction.PAN_TOP_EDGE: pgettext(
 		"magnifier",
-		# Translators: Short name for the top edge, used in messages.
-		"top",
+		# Translators: Message announced when already at top edge of the screen while panning the magnified view
+		# to top edge
+		"top edge",
 	),
 	MagnifierAction.PAN_BOTTOM_EDGE: pgettext(
 		"magnifier",
-		# Translators: Short name for the bottom edge, used in messages.
-		"bottom",
+		# Translators: Message announced when already at left edge of the screen while panning the magnified view
+		# to left edge
+		"bottom edge",
 	),
 }
 
@@ -165,14 +169,7 @@ def pan(action: MagnifierAction) -> None:
 	if magnifierIsActiveVerify(magnifier, action):
 		hasMoved = magnifier._pan(action)
 		if not hasMoved:
-			edgeName = PAN_ACTION_TO_EDGE_NAME.get(action)
-			ui.message(
-				pgettext(
-					"magnifier",
-					# Translators: Message announced when arriving at the {edge} edge.
-					"{edge} edge",
-				).format(edge=edgeName),
-			)
+			ui.message(PAN_ACTION_TO_EDGE_MESSAGES[action])
 
 
 def toggleFilter() -> None:

source/_remoteClient/client.py

@@ -295,8 +295,6 @@ def disconnectAsLeader(self):
 
 	def disconnectAsFollower(self):
 		"""Close follower session and clean up related resources."""
-		if self.followerTransport:
-			self.followerTransport.transportConnectionFailed.unregister(self.onConnectAsFollowerFailed)
 		self.followerSession.close()
 		self.followerSession = None
 		self.followerTransport = None
@@ -308,7 +306,7 @@ def disconnectAsFollower(self):
 
 	@alwaysCallAfter
 	def onConnectAsLeaderFailed(self):
-		if self.leaderTransport.successfulConnects == 0:
+		if self.leaderTransport is not None and self.leaderTransport.successfulConnects == 0:
 			log.error(f"Failed to connect to {self.leaderTransport.address}")
 			self.disconnectAsLeader()
 			# Translators: Title of the connection error dialog.
@@ -321,21 +319,6 @@ def onConnectAsLeaderFailed(self):
 				style=wx.OK | wx.ICON_WARNING,
 			)
 
-	@alwaysCallAfter
-	def onConnectAsFollowerFailed(self):
-		if self.followerTransport and self.followerTransport.successfulConnects == 0:
-			log.error(f"Failed to connect to {self.followerTransport.address}")
-			self.disconnectAsFollower()
-			# Translators: Title of the connection error dialog.
-			gui.messageBox(
-				parent=gui.mainFrame,
-				# Translators: Title of the connection error dialog.
-				caption=pgettext("remote", "Error Connecting"),
-				# Translators: Message shown when unable to connect to the remote computer.
-				message=pgettext("remote", "Unable to connect to the remote computer"),
-				style=wx.OK | wx.ICON_WARNING,
-			)
-
 	def doConnect(self, evt: inputCore.InputGesture = None):
 		"""Show connection dialog and handle connection initiation.
 
@@ -451,7 +434,6 @@ def connectAsFollower(self, connectionInfo: ConnectionInfo):
 			self.onFollowerCertificateFailed,
 		)
 		transport.transportConnected.register(self.onConnectedAsFollower)
-		transport.transportConnectionFailed.register(self.onConnectAsFollowerFailed)
 		transport.transportDisconnected.register(self.onDisconnectedAsFollower)
 		transport.reconnectorThread.start()
 		if self.menu:
@@ -478,15 +460,16 @@ def handleCertificateFailure(self, transport: RelayTransport):
 		log.warning(f"Certificate validation failed for {transport.address}")
 		self.lastFailAddress = transport.address
 		self.lastFailKey = transport.channel
+		self._lastFailFingerprint = transport.lastFailFingerprint
 		self.disconnect(_silent=True)
 		try:
-			certHash = transport.lastFailFingerprint
-
-			wnd = dialogs.CertificateUnauthorizedDialog(None, fingerprint=certHash)
+			wnd = dialogs.CertificateUnauthorizedDialog(None, fingerprint=self._lastFailFingerprint)
 			a = wnd.ShowModal()
 			if a == wx.ID_YES:
 				config = configuration.getRemoteConfig()
-				config["trustedCertificates"][hostPortToAddress(self.lastFailAddress)] = certHash
+				config["trustedCertificates"][hostPortToAddress(self.lastFailAddress)] = (
+					self._lastFailFingerprint
+				)
 			if a == wx.ID_YES or a == wx.ID_NO:
 				return True
 		except Exception as ex:
@@ -502,6 +485,7 @@ def onLeaderCertificateFailed(self):
 				port=self.lastFailAddress[1],
 				key=self.lastFailKey,
 				insecure=True,
+				trustedFingerprint=self._lastFailFingerprint,
 			)
 			self.connectAsLeader(connectionInfo=connectionInfo)
 
@@ -514,6 +498,7 @@ def onFollowerCertificateFailed(self):
 				port=self.lastFailAddress[1],
 				key=self.lastFailKey,
 				insecure=True,
+				trustedFingerprint=self._lastFailFingerprint,
 			)
 			self.connectAsFollower(connectionInfo=connectionInfo)
 

source/_remoteClient/connectionInfo.py

@@ -71,6 +71,9 @@ class ConnectionInfo:
 	insecure: bool = False
 	"""Allow insecure connections without SSL/TLS, defaults to False"""
 
+	trustedFingerprint: str | None = None
+	"""Specifies a single certificate fingerprint to trust if :attr:`insecure` is ``True``."""
+
 	def __post_init__(self) -> None:
 		self.port = self.port or SERVER_PORT
 		self.mode = ConnectionMode(self.mode)

source/_remoteClient/transport.py

@@ -35,7 +35,7 @@
 from dataclasses import dataclass
 from logHandler import log
 from queue import Queue
-from typing import Any, Literal, Optional, Self
+from typing import Any, Literal, Optional, Self, cast
 
 import wx
 from extensionPoints import Action, HandlerRegistrar
@@ -263,13 +263,16 @@ def __init__(
 		address: tuple[str, int],
 		timeout: int = 0,
 		insecure: bool = False,
+		*,
+		trustedFingerprint: str | None = None,
 	) -> None:
 		"""Initialize the TCP transport.
 
 		:param serializer: Message serializer instance
 		:param address: Remote address to connect to, as (host, port) tuple
 		:param timeout: Connection timeout in seconds, defaults to 0
 		:param insecure: Skip certificate verification, defaults to False
+		:param trustedFingerprint: Certificate fingerprint to trust this session if connecting insecurely.
 		"""
 		super().__init__(serializer=serializer)
 		self.closed: bool = False
@@ -304,6 +307,8 @@ def __init__(
 		self.insecure: bool = insecure
 		"""Whether to skip certificate verification"""
 
+		self._trustedFingerprint = trustedFingerprint
+
 	def run(self) -> None:
 		"""
 		Establishes a connection to the server and manages the transport lifecycle.
@@ -319,10 +324,9 @@ def run(self) -> None:
 		thread, and enters the read loop. Upon disconnection, it clears the connected
 		event, notifies about the transport disconnection, and performs cleanup.
 
-		Raises:
-			ssl.SSLCertVerificationError: If SSL certificate verification fails and
-										  the fingerprint is not trusted.
-			Exception: For any other exceptions during the connection process.
+		:raises ssl.SSLCertVerificationError: If SSL certificate verification fails and
+			the fingerprint is not trusted.
+			:raises Exception: For any other exceptions during the connection process.
 		"""
 		self.closed = False
 		try:
@@ -338,6 +342,7 @@ def run(self) -> None:
 			except Exception:
 				pass
 			if self.isFingerprintTrusted(fingerprint):
+				self._trustedFingerprint = fingerprint
 				self.insecure = True
 				return self.run()
 			self.lastFailFingerprint = fingerprint
@@ -346,6 +351,20 @@ def run(self) -> None:
 		except Exception:
 			self.transportConnectionFailed.notify()
 			raise
+		# If connecting without certificate verification and we were given a fingerprint to trust,
+		# check that the server's certificate matches it.
+		if (
+			self.insecure
+			and self._trustedFingerprint is not None
+			# Since this is a client-side socket, if connection was successful it will always return a certificate.
+			and (fingerprint := self._derCert2fingerprint(cast(bytes, self.serverSock.getpeercert(True))))
+			!= self._trustedFingerprint
+		):
+			self._disconnect()
+			self.lastFailFingerprint = fingerprint
+			self.transportCertificateAuthenticationFailed.notify()
+			self.transportConnectionFailed.notify()
+			return
 		self.onTransportConnected()
 		self.startQueueThread()
 		self._readLoop()
@@ -366,13 +385,18 @@ def isFingerprintTrusted(self, fingerprint: str) -> bool:
 			and config["trustedCertificates"][hostPortToAddress(self.address)] == fingerprint
 		)
 
+	@staticmethod
+	def _derCert2fingerprint(cert: bytes) -> str:
+		"""Convert a DER-encoded certificate to a certificate fingerprint."""
+		return hashlib.sha256(cert).hexdigest().lower()
+
 	def getHostFingerprint(self) -> str:
 		tempConnection = self.createOutboundSocket(*self.address, insecure=True)
 		tempConnection.connect(self.address)
 		certBin = tempConnection.getpeercert(True)
 		tempConnection.close()
-		fingerprint = hashlib.sha256(certBin).hexdigest().lower()
-		return fingerprint
+		# Since this is a client-side socket, if connection was successful it will always return a certificate.
+		return self._derCert2fingerprint(cast(bytes, certBin))
 
 	def startQueueThread(self) -> None:
 		"""Start the outbound message queue thread."""
@@ -609,6 +633,8 @@ def __init__(
 		connectionType: str | None = None,
 		protocolVersion: int = PROTOCOL_VERSION,
 		insecure: bool = False,
+		*,
+		trustedFingerprint: str | None = None,
 	) -> None:
 		"""Initialize a new RelayTransport instance.
 
@@ -619,12 +645,14 @@ def __init__(
 		:param connectionType: Connection type identifier, defaults to ``None``
 		:param protocolVersion: Protocol version to use, defaults to :const:`PROTOCOL_VERSION`
 		:param insecure: Whether to skip certificate verification, defaults to ``False``
+		:param trustedFingerprint: Certificate fingerprint to trust this session if connecting insecurely.
 		"""
 		super().__init__(
 			address=address,
 			serializer=serializer,
 			timeout=timeout,
 			insecure=insecure,
+			trustedFingerprint=trustedFingerprint,
 		)
 		log.info(f"Connecting to {address} channel {channel}")
 		self.channel: str | None = channel
@@ -652,6 +680,7 @@ def create(cls, connectionInfo: ConnectionInfo, serializer: Serializer) -> Self:
 			channel=connectionInfo.key,
 			connectionType=connectionInfo.mode,
 			insecure=connectionInfo.insecure,
+			trustedFingerprint=connectionInfo.trustedFingerprint,
 		)
 
 	def onConnected(self) -> None:

source/config/__init__.py

@@ -373,7 +373,7 @@ def _setSystemConfig(
 		else:
 			relativePath = os.path.relpath(curSourceDir, fromPath)
 			curDestDir = os.path.join(toPath, relativePath)
-			if not isMigration and relativePath == "addons":
+			if not isMigration and relativePath.casefold() == "addons":
 				_prepareToCopyAddons(fromPath, toPath, subDirs, addonsToCopy)
 		if not os.path.isdir(curDestDir):
 			os.makedirs(curDestDir)

source/core.py

@@ -950,9 +950,14 @@ def main():
 			warnForNonEmptyDirectory=warnForNonEmptyDirectory,
 		)
 	elif not globalVars.appArgs.minimal:
-		try:
+		if screenCurtain.screenCurtain.enabled:
+			# Translators: This is shown on a braille display (if one is connected) when NVDA starts with the screen curtain enabled.
+			initialMessage = _("NVDA started with screen curtain enabled")
+		else:
 			# Translators: This is shown on a braille display (if one is connected) when NVDA starts.
-			braille.handler.message(_("NVDA started"))
+			initialMessage = _("NVDA started")
+		try:
+			braille.handler.message(initialMessage)
 		except:  # noqa: E722
 			log.error("", exc_info=True)
 		if globalVars.appArgs.launcher:

source/globalCommands.py

@@ -262,22 +262,15 @@ def script_toggleCurrentAppSleepMode(self, gesture):
 	def script_reportCurrentLine(self, gesture):
 		obj = api.getFocusObject()
 		treeInterceptor = obj.treeInterceptor
-		useTextInfo: bool = False
 		if (
 			isinstance(treeInterceptor, treeInterceptorHandler.DocumentTreeInterceptor)
 			and not treeInterceptor.passThrough
 		):
 			obj = treeInterceptor
-			useTextInfo = True
-		else:
-			useTextInfo = obj._shouldUseTextInfoForReading
-		if useTextInfo:
-			try:
-				info = obj.makeTextInfo(textInfos.POSITION_CARET)
-			except (NotImplementedError, RuntimeError):
-				info = obj.makeTextInfo(textInfos.POSITION_FIRST)
-		else:
-			info = NVDAObjectTextInfo(obj, textInfos.POSITION_FIRST)
+		try:
+			info = obj.makeTextInfo(textInfos.POSITION_CARET)
+		except (NotImplementedError, RuntimeError):
+			info = obj.makeTextInfo(textInfos.POSITION_FIRST)
 		info.expand(textInfos.UNIT_LINE)
 		scriptCount = getLastScriptRepeatCount()
 		if scriptCount == 0: