#19890 closed defect (fixed)

Tor Browser warning: "Your Firefox is out of date."

Reported by: arthuredelstein Owned by: tbb-team
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Critical Keywords: TorBrowserTeam201608R, tbb-6.0-issues
Cc: b_meson Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

On Tor Browser 6.0.3 (up-to-date) I saw the following warning appear below the URL bar:

"Your Firefox is out of date. Please download a fresh copy." On the right is a button that says "Get Firefox". Obviously we want to disable this warning.

Child Tickets

Attachments (1)

Screenshot - 081016 - 23:11:53.png (14.8 KB) - added by arthuredelstein 22 months ago.

Download all attachments as: .zip

Change History (16)

Changed 22 months ago by arthuredelstein

comment:1 Changed 22 months ago by arthuredelstein

Looks like it came from this bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=1280378

I'm not sure yet how it gets into Firefox (or Tor Browser for that matter).

comment:3 Changed 22 months ago by gk

Priority: MediumVery High
Severity: NormalCritical

comment:4 Changed 22 months ago by gk

Cc: b_meson added

#19891 is a duplicate.

comment:5 in reply to:  1 Changed 22 months ago by gk

Keywords: tbb-6.0-issues added

Replying to arthuredelstein:

Looks like it came from this bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=1280378

I'm not sure yet how it gets into Firefox (or Tor Browser for that matter).

It seems the infrastructure was already there starting with Firefox 44:

https://bugzilla.mozilla.org/show_bug.cgi?id=1192924 and
https://bugzilla.mozilla.org/show_bug.cgi?id=1213348.

Now, they probably just were ready with the "your Firefox is out of date"-system add-on. I guess we should just disable that update ping with our data:text/plain, trick. And think about how to get rid of already installed system extensions.

comment:6 Changed 22 months ago by gk

Okay, I've filed https://bugzilla.mozilla.org/show_bug.cgi?id=1294395 and poked the Mozilla folks on #releng. Hopefully they can tweak the server-side rules in order to affect less of our users while we are working on getting a new version out.

comment:7 Changed 22 months ago by cypherpunks

extensions.systemAddon.update.url should be set to "".

comment:8 in reply to:  7 Changed 22 months ago by arthuredelstein

Replying to cypherpunks:

extensions.systemAddon.update.url should be set to "".

I think this is a good solution. To check this, I found the location of the XPI in Tor Browser:

arthur@localhost ~/t/Browser> find . -name "*outofdate*"
./TorBrowser/Data/Browser/profile.default/features/{541bf4ef-2e8d-44d5-9aa1-887165d68eec}/outofdate-notifications@mozilla.org.xpi
./TorBrowser/Data/Browser/profile.default/datareporting/archived/2016-08/1470864327100.72bc501f-cad6-4be7-b082-9af725197de9.outofdate-notifications-system-addon.jsonlz4
./TorBrowser/Data/Browser/profile.default/datareporting/archived/2016-08/1470864333700.c7c02599-f462-49f2-8f11-fad83bfc976c.outofdate-notifications-system-addon.jsonlz4

After setting the pref to "", I opened Tor Browser and entered the following in the browser console:

Cu.import("resource://gre/modules/AddonManager.jsm");
AddonManagerPrivate.backgroundUpdateCheck();

Then I confirmed that the XPI had been removed:

arthur@localhost ~/t/Browser> find . -name "*outofdate*"
./TorBrowser/Data/Browser/profile.default/datareporting/archived/2016-08/1470864327100.72bc501f-cad6-4be7-b082-9af725197de9.outofdate-notifications-system-addon.jsonlz4
./TorBrowser/Data/Browser/profile.default/datareporting/archived/2016-08/1470864333700.c7c02599-f462-49f2-8f11-fad83bfc976c.outofdate-notifications-system-addon.jsonlz4

Here is the relevant code that apparently removes the XPI file. When the pref is empty, url is falsey and yield systemAddonLocation.cleanDirectories(); is called:
https://dxr.mozilla.org/mozilla-central/rev/0502bd9e025edde29777ba1de4280f9b52af4663/toolkit/mozapps/extensions/internal/XPIProvider.jsm#3069

Last edited 22 months ago by arthuredelstein (previous) (diff)

comment:9 Changed 22 months ago by gk

Keywords: TorBrowserTeam201608R added; TorBrowserTeam201608 removed
Status: newneeds_review

Good idea, thanks. I've been a bit too fast it seems. The fix (https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.3.0esr-6.0-1&id=61700466ddefff3005633a6e31f34133eb98197f) was aimed to go into my public repo not directly to tor-browser-45.3.0-6.0-1. Please review, I am holding off starting a build for 6.0.4 until somebody looked at it.

comment:10 in reply to:  9 Changed 22 months ago by arthuredelstein

Replying to gk:

Good idea, thanks. I've been a bit too fast it seems. The fix (https://gitweb.torproject.org/tor-browser.git/commit/?h=tor-browser-45.3.0esr-6.0-1&id=61700466ddefff3005633a6e31f34133eb98197f) was aimed to go into my public repo not directly to tor-browser-45.3.0-6.0-1. Please review, I am holding off starting a build for 6.0.4 until somebody looked at it.

Rather than patching firefox.js directly, maybe we should apply this setting in browser/app/profile/000-tor-browser.js as we have with most other prefs? (I notice we have two other changes to firefox.js (from our patches for #5472 and #4234) -- maybe these should also be migrated to 000-tor-browser.js?)

comment:11 Changed 22 months ago by gk

I guess we could I guess, I followed mcs and brade in patching firefox.js here. I think for the fixup release doing that is fine.

FWIW: The alpha and hardened series is not affected and Tails neither (they have app.update.enabled set to false).

comment:12 Changed 22 months ago by gk

Just as an update: this issue got fixed on Mozilla's side meanwhile (thanks to bhearsum and all the other Mozilla folks that helped).

We might want to think about shipping an update though (containing the fix on our side and an updated tor maybe).

comment:13 in reply to:  description Changed 22 months ago by in spatium

Replying to arthuredelstein:

On Tor Browser 6.0.3 (up-to-date) I saw the following warning appear below the URL bar:

"Your Firefox is out of date. Please download a fresh copy." On the right is a button that says "Get Firefox". Obviously we want to disable this warning.

A solution --
Go to about:config/extensions.bootstrappedAddon
Reset the string Value to empty Value {}
Restart Tor browser.
The warning will not appear again.

Solution for the false warning "Your Firefox is out of date. Please download a fresh copy.":
https://www.reddit.com/r/TOR/comments/4x8wwk/solution_for_the_false_warning_your_firefox_is/

Last edited 22 months ago by in spatium (previous) (diff)

comment:14 Changed 22 months ago by gk

#19900 is a duplicate.

comment:15 Changed 22 months ago by gk

Resolution: fixed
Status: needs_reviewclosed

This is fixed on tor-browser-45.3.0esr-6.0-1 and tor-browser-45.3.0esr-6.5-1 (commit 61700466ddefff3005633a6e31f34133eb98197f and 8af42ff851bab2d9b17d380c170f06c28b94c74b) and will be in our next stable, 6.0.4.

Note: See TracTickets for help on using tickets.