Opened 9 years ago

Closed 8 years ago

#2255 closed defect (fixed)

TBB does not disable other firefox extensions

Reported by: cypherpunks Owned by: erinn
Priority: High Milestone:
Component: Applications/Tor bundles/installation Version:
Severity: Keywords: tbb-2.2.32-4 tbb linux
Cc: erinn Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

When I run the current TBB (tor-browser-gnu-linux-x86_64-1.0.17-dev-en-US.tar.gz) on Ubuntu Maverick system wide Firefox plugins are loaded into the TBB instance.

Most prominently is the "Ubuntu Firefox Modifications" add on; other Firefox properties seem to be enabled - such as DivX, Totem as a video handler, and others.

This is probably very dangerous even with Torbutton unless Mike Perry says otherwise.

Child Tickets

Change History (13)

comment:1 Changed 9 years ago by erinn

Status: newaccepted

This is indeed quite dangerous -- for an example of why, see #2118. I'm looking into a fix for this that is simpler or more elegant than eviscerating large parts of the codebase or binary patching libxul.

comment:2 Changed 8 years ago by erinn

Status: acceptedneeds_information

The current 2.2.x experimental bundles use a Firefox pref that is intended to prevent loading of plugins outside of the intended scope (e.g., you can specify if you want it to load only from the current app, the current profile, or system-wide). I've enabled it to use the most restrictive scope (app-level). Can you tell me if this works?

https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.2.30-1-alpha-en-US.tar.gz
https://www.torproject.org/dist/torbrowser/linux/tor-browser-gnu-linux-x86_64-2.2.30-1-alpha-en-US.tar.gz.asc

comment:3 Changed 8 years ago by rransom

#2826 is related.

comment:4 Changed 8 years ago by rransom

Owner: changed from erinn to mikeperry
Status: needs_informationassigned

We now know that that preference is not preventing Firefox from loading system-wide plugins on Linux. Mike Perry is trying to fix this bug with a Firefox patch.

comment:5 Changed 8 years ago by rransom

Cc: erinn added

comment:6 Changed 8 years ago by erinn

Keywords: 2.2.32-4 added

comment:7 Changed 8 years ago by erinn

Keywords: tbb-2.2.32-4 added; 2.2.32-4 removed

comment:8 Changed 8 years ago by mikeperry

Btw, I am not sure my patch (#3547) will have any influence on system-wide extensions. It only deals with plugins.

comment:9 Changed 8 years ago by erinn

I thought DivX and Totem were actually plugins. Is that wrong? Sometimes people confuse the two terms.

comment:10 in reply to:  9 Changed 8 years ago by mikeperry

Replying to erinn:

I thought DivX and Totem were actually plugins. Is that wrong? Sometimes people confuse the two terms.

I believe you're right and DivX and Totem are plugins. The "Ubuntu Firefox Modifications" is probably an xpi addon, though. And it's probably not good for business.

Surprised enabledScopes doesn't handle the Ubuntu addon though.

Or maybe it does? Have we re-tested this since setting enabledScopes?

comment:11 Changed 8 years ago by mikeperry

Owner: changed from mikeperry to erinn

Erinn - can you find an ubuntu user to see if this is fixed? I think enabledScopes should have fixed it.

comment:12 Changed 8 years ago by karsten

Keywords: tbb linux added
Milestone: Tor Browser Bundle for Linux

comment:13 Changed 8 years ago by mikeperry

Resolution: fixed
Status: assignedclosed

I think this is actually fixed. We've had ubuntu users on other bugs (#4517) tell us that they do not see any system addons installed.

Note: See TracTickets for help on using tickets.