Closed Bug 1837863 Opened 2 years ago Closed 2 years ago

Firefox 114 install causes unwanted update of Portable Roboform extension

Categories

(WebExtensions :: Untriaged, defect)

Product:
WebExtensions
Component:
Untriaged
Version:
Firefox 114
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1837830

People

(Reporter: goa_bugzilla, Unassigned)

Details

Attachments

(2 files)

rf-firefox-nm-host.json
215 bytes, application/json
Details
Profile files requested by Robert Wu in comment 14
1.56 MB, application/octet-stream
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/113.0

Steps to reproduce:

I am running Windows 10. When I upgraded from Firefox 113.0.2 to Firefox 114.0.0 recently, it updated my Portable Roboform (version 7.9.31.1) extension to the latest version from Roboform. While I have "automatic update" set for all extensions, on the Portable Roboform extension itself I have updates set to "never".

Portable Roboform (which runs from a flash drive) has been deprecated by Siber Systems and is no longer supported by them. They want everybody to use their cloud service instead. What I was "upgraded" to was their latest cloud version. Unfortunately Siber Systems has made it impossible to downgrade to Portable Roboform once their cloud version is installed.

I am able to restore my old setup from a backup. I tried disabling "automatic updates" for all extensions and did the Firefox 114 update again. Same result. Then I restored my old setup once again, downloaded the Firefox 114 installation executable, unplugged my PC from the network, and did another install of Firefox 114. It still upgraded my Portable Roboform extension with the latest version before I reconnected my PC to the network. It does appear that the latest Roboform extension is listed as being available in the pending extension updates list before I begin the Firefox 114 upgrade, so the new Roboform extension is probably coming from there. I don't know how to remove it before doing the Firefox upgrade.

I have been running this version of the Portable Roboform extension in Firefox for years now, and done regular upgrades of Firefox as each one is released (including all minor versions) since at least versions in the 90s without ever having this happen. Something is different between Firefox versions 113 and 114. It seems to want to upgrade all extensions now during the install process, whether or not you have the extension upgrade option set.

Actual results:

The Portable Roboform extension was overwritten with the latest version of the Roboform extension from Siber Systems.

Expected results:

No update of the Portable Roboform extension should have happened.

The Bugbug bot thinks this bug should belong to the 'WebExtensions::Untriaged' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Product: Firefox → WebExtensions

Can you please confirm in a new profile that without starting Firefox, something is updating the extension in your profile?

Flags: needinfo?(goa_bugzilla)

If the extension updates even when you're offline, then that suggests that the extension was either already staged for updating in your profile directory, or sideloaded by external software.

(In reply to Rob Wu [:robwu] from comment #3)

If the extension updates even when you're offline, then that suggests that the extension was either already staged for updating in your profile directory, or sideloaded by external software.

It is there in the "Available Updates" section of about:addons. How long it has been there, I don't know. I do know that I have had "Allow automatic updates" set to "No" on the Portable Roboform extension for years now and it has survived dozens of Firefox upgrades without being updated — until now.

Is there some way I can remove the Roboform upgrade from the "Available Updates" staging area? Would Firefox download the update even when I have "Automatic updates" set to no?

Flags: needinfo?(goa_bugzilla)

(In reply to Tomislav Jovanovic :zombie from comment #2)

Can you please confirm in a new profile that without starting Firefox, something is updating the extension in your profile?

I have had very little experience creating profiles. Can I create a new profile without starting Firefox? Will it have my extensions from my current profile or do I have to add them to the new profile?

Hello,

I could not reproduce the issue on the latest Release 114.0.1 updated from 113.0.2 on Windows 10 x64.

I tried 2 different extensions (RoboForm Password Manager and Tree Style Tab) of which I installed the oldest available version on AMO. I then proceeded to disable automatic updates for these extensions and afterwards I’ve updated the browser to the latest version.
After the browser restart I re-checked the extensions and they were still at the initial versions. They were not updated along with the browser update.

I also tried finding the 7.x version of RoboForm2Go which I think is the portable extension you mentioned, but could not find it anywhere on the RoboForm website. There is only the latest 9.x version available there.

(In reply to Alex Cornestean from comment #6)

Hello,

I could not reproduce the issue on the latest Release 114.0.1 updated from 113.0.2 on Windows 10 x64.

I tried 2 different extensions (RoboForm Password Manager and Tree Style Tab) of which I installed the oldest available version on AMO. I then proceeded to disable automatic updates for these extensions and afterwards I’ve updated the browser to the latest version.
After the browser restart I re-checked the extensions and they were still at the initial versions. They were not updated along with the browser update.

Yeah, I think it must have something to do with the fact that the latest Roboform 8.x version is sitting in the "Available Updates" section of the browser when I began the Firefox upgrade process, which presumably you didn't. It's not being applied automatically when it was first downloaded because I assume I have the no automatic updates option set for the Portable Roboform extension. But during the Firefox upgrade from 113 to 114 I can only assume that it does get applied.

If you know how I can remove the Roboform upgrade from the "Available Updates" (it's sitting there now in my restored Firefox 113), I could try that first and then upgrade Firefox. Originally I did have a second extension sitting in the "Available Updates" section along with the Roboform 8.x extension update. They both got updated when I upgraded Firefox the first time. However, the other extension had automatic updates enabled via the global "Allow automatic updates" option. Does the Firefox update process also apply any extension updates sitting in the "Available Updates"? That seems to be how it's working now.

I also tried finding the 7.x version of RoboForm2Go which I think is the portable extension you mentioned, but could not find it anywhere on the RoboForm website. There is only the latest 9.x version available there.

Yes, Siber Systems no longer supports Portable Roboform and has removed all downloads and support for it from its website. Siber Systems even has managed to prevent installation of the old Portable Roboform extension in Firefox once you have upgraded to their version 8.x — even after you uninstall the 8.x cloud extension first.

I have the same exact issue, my Roboform 7.xx Ext was working Ok until FF update 114.0.1 came along, now it is broken because Ext got updated without my knowledge. I posted my issue here:

http://forums.mozillazine.org/viewtopic.php?f=37&t=3110350

I have the XPI file for the older version of Roboform, if @Alex Cornestean want to try installing the extension from it and see it update.

Matt

We haven't made significant changes to add-on updating logic in 114.

Are you sure that the change is connected to the Firefox 114 update? If you quit Firefox, restore your profile directory from a backup and install Firefox 113 again, do you still get the desired behavior? Note: it is important to restore the profile directory from a backup, because you cannot use a new profile directory with an older Firefox version.

(In reply to goa_bugzilla from comment #0)

I am able to restore my old setup from a backup.

How? Did you have a copy of the old Firefox profile? If yes, please create and share a zip file with the following files from your (backup) profile directory:

  • addons.json
  • addonStartup.json.lz4
  • extensions.json
  • extensions/ directory.

And please do the same for the profile directory that has the unwanted update.

(In reply to Rob Wu [:robwu] from comment #9)

We haven't made significant changes to add-on updating logic in 114.

Are you sure that the change is connected to the Firefox 114 update? If you quit Firefox, restore your profile directory from a backup and install Firefox 113 again, do you still get the desired behavior? Note: it is important to restore the profile directory from a backup, because you cannot use a new profile directory with an older Firefox version.

I have been applying every Firefox update, including minor versions, as they are released. Never has this happened to me before. As I said before I don't know when the Roboform update appeared in my "Available Updates". It could have just been just before 114 came out. So do I absolutely know that 114 is the cause? No, but it seems likely.

(In reply to goa_bugzilla from comment #0)

I am able to restore my old setup from a backup.

How?

I make complete backups of my C: drive every week. To restore my old Firefox 113 I restored my complete C: drive since I'm not sure just what might be causing the problem. Restoring my backup is a pain because I have to stop everything, back up all my incremental changes since the weekly backup, restore the backup and then restore the incrementals except for Firefox.

Did you have a copy of the old Firefox profile? If yes, please create and share a zip file with the following files from your (backup) profile directory:

  • addons.json
  • addonStartup.json.lz4
  • extensions.json
  • extensions/ directory.

And please do the same for the profile directory that has the unwanted update.

OK, it may take a day or two. I am not sure what the difference is between my backup profile directory and "the profile directory that has the unwanted update". AFAIK they are the same, the 113 profile directory is the one with the unwanted update. I was running from 113 with Portable Roboform after a restore of the C: drive but forgot to turn off auto updates of Firefox. It updated itself to 114 and applied the Roboform update (again, even though updates were turned off for the Portable Roboform extension itself). There is now no Roboform in the "Available Updates" in my 114 profile.

I have uploaded the profile directory from my Firefox 113.

https://www.dropbox.com/s/inqjd4v4y960pb0/profile.7z?dl=0

I am temporarily marking this bug as confidential because you have shared a link to your browser profile. That contains sensitive information (including cookies, browser history, etc). You should NEVER send your full profile in public.

Please remove your profile directory from Dropbox.

I have already downloaded it and will report back once I have checked its content. As soon as I complete my investigation, I will delete the downloaded profile.

Group: mozilla-employee-confidential

(In reply to Rob Wu [:robwu] from comment #12)

I am temporarily marking this bug as confidential because you have shared a link to your browser profile. That contains sensitive information (including cookies, browser history, etc). You should NEVER send your full profile in public.

Please remove your profile directory from Dropbox.

I have already downloaded it and will report back once I have checked its content. As soon as I complete my investigation, I will delete the downloaded profile.

Thanks, though I delete cookies, browser history, etc. every time I exit Firefox, run it inside Sandboxie so it shouldn't make permanent changes to my profile, and use Bleachbit regularly to delete all this stuff.

(FYI: I have concluded my investigation and deleted the profile that you had shared)

According to your profile:

  • You were already using RoboForm 8.5.9.9 since at least the May 5, 2023 (with Firefox 112) until Jun 10, 2023 (Firefox 113).
    (source: files in datareporting/; version information confirmed with addonStartup.json.lz4, extensions.json and extensions/rf-firefox@siber.com.xpi)
  • RoboForm was first installed on Dec 18, 2017.
    (source: extensions.json)
  • RoboForm file was probably last updated on Nov 4, 2019. This seems plausible, as the add-on was published on AMO on Jul 18, 2019.
    (source: extensions.json and extensions/rf-firefox@siber.com.xpi)
  • The only mention of "7.9.31.1" is that rf-chrome-nm-host.exe version 7.9.31.1 was detected as a11y.instantiators, last seen on May 3, 2023 (Firefox 113).
    (source: datareporting/)
  • Auto-updates are disabled for this add-on.
    (source: extensions.json)

it updated my Portable Roboform (version 7.9.31.1) extension to the latest version from Roboform.

This is incorrect. Your Firefox profile never had version 7.9.31.1, only 8.5.9.9.

It still upgraded my Portable Roboform extension with the latest version before I reconnected my PC to the network. It does appear that the latest Roboform extension is listed as being available in the pending extension updates list before I begin the Firefox 114 upgrade, so the new Roboform extension is probably coming from there.

This is very unexpected. Your Firefox profile did not have any traces of updates. I can think of the following potential reasons:

  • you were not actually disconnected from the internet
  • when you restored your backup, you merged the backup with the existing files instead of replacing the profile directory entirely.

To pinpoint the issue, could you follow the following steps:

  1. Quit Firefox.
  2. Restore the Firefox profile from your backup.
  3. Create a file called user.js in your profile directory, with the following content:
user_pref("extensions.logging.enabled", true);
  1. Start Firefox
  2. Open the Browser Console (Ctrl-Shift-J)
  3. Right-click in the console to open the context menu, and click the "Save all Messages to File" menu item.
  4. Quit Firefox.
  5. Optional cleanup: delete the user.js file.

Share the following files with me:

  • console-export-(timestamp).txt, e.g. console-export-2023-6-16_23-22-48.txt
  • from the profile directory:
    • addons.json
    • addonStartup.json.lz4
    • extensions.json
    • extensions/rf-firefox@siber.com.xpi (or the whole extensions/ directory, there is no sensitive data there)
Group: mozilla-employee-confidential

(In reply to Rob Wu [:robwu] from comment #14)

(FYI: I have concluded my investigation and deleted the profile that you had shared)

According to your profile:

  • You were already using RoboForm 8.5.9.9 since at least the May 5, 2023 (with Firefox 112) until Jun 10, 2023 (Firefox 113).
    (source: files in datareporting/; version information confirmed with addonStartup.json.lz4, extensions.json and extensions/rf-firefox@siber.com.xpi)

No, there has never been a version 8.5.9.9 of Portable Roboform. It simply does not exist. Portable Roboform ended with 7.9.31. When Siber Systems started the version 8 series, it was explicitly without Portable Roboform support. It is odd that the options menu of the Portable Roboform extension does say it's version 8.5.9.9 (the current version of Roboform is 9.4.8). Siber Systems has the Roboform versions with their release dates listed at https://www.roboform.com/news-windows , it appears that 8.5.9.9 would have been released between June and July 2019.

It is possible that I accidentally added the Roboform extension (entirely different from Portable Roboform) at some point and then immediately uninstalled it. Or I could have installed the latest Roboform Windows app which then tried to install the Firefox Roboform extension, which I would have immediately uninstalled. I do have the old version 7.9.31 of the Roboform Windows app currently installed (it matches my Portable Roboform Firefox extension version) because it used to be a requirement to use Portable Roboform.

That the Portable Roboform extension thinks is it version 8.5.9.9 may be part of the problem. The Portable Roboform extension also says it was last updated on November 4, 2019. However, I think that was after the last version of Portable Roboform came out.

  • RoboForm was first installed on Dec 18, 2017.
    (source: extensions.json)
  • RoboForm file was probably last updated on Nov 4, 2019. This seems plausible, as the add-on was published on AMO on Jul 18, 2019.
    (source: extensions.json and extensions/rf-firefox@siber.com.xpi)

I don't know if you are talking about "Roboform" or "Portable Roboform" here. Maybe Siber Systems doesn't maintain any distinction in the log file. But they are two completely different things (Portable Roboform is actually from a company that Siber Systems acquired and has a completely different lineage from Roboform), and I have been very careful to identify them as such in my bug reports.

However, I have never used the Roboform extension because it is cloud based and requires a subscription which I never paid. As I said above it's possible that I installed it accidentally and then immediately removed it or it got installed by the Roboform Windows app and I immediately removed it. If that is what happened, it occurred years ago, and doesn't explain the behavior with the Firefox 114 install.

  • The only mention of "7.9.31.1" is that rf-chrome-nm-host.exe version 7.9.31.1 was detected as a11y.instantiators, last seen on May 3, 2023 (Firefox 113).
    (source: datareporting/)
  • Auto-updates are disabled for this add-on.
    (source: extensions.json)

it updated my Portable Roboform (version 7.9.31.1) extension to the latest version from Roboform.

This is incorrect. Your Firefox profile never had version 7.9.31.1, only 8.5.9.9.

I can't help what is reported. I have NEVER used version 8.5.9.9 of Portable Roboform. It simply does not exist. It has never existed. I know I am using the Portable Roboform extension because it runs on a flash drive that I have to manually unlock once my system boots. If I never unlock the flash drive, I can't use the Portable Roboform Firefox extension. If I remove the flash drive, Portable Roboform goes away.

It still upgraded my Portable Roboform extension with the latest version before I reconnected my PC to the network. It does appear that the latest Roboform extension is listed as being available in the pending extension updates list before I begin the Firefox 114 upgrade, so the new Roboform extension is probably coming from there.

This is very unexpected. Your Firefox profile did not have any traces of updates. I can think of the following potential reasons:

  • you were not actually disconnected from the internet

I physically disconnected the ethernet cable from my PC and verified that my browser could not access the internet before doing the upgrade.

  • when you restored your backup, you merged the backup with the existing files instead of replacing the profile directory entirely.

The backup was of my entire C: drive. The restore completely overwrote my existing C: drive with the backup. I didn't use a file restore because I don't know all the files the Firefox install changes on the system drive outside of my profile when it does an upgrade so I wouldn't know how to manually restore everything back to Firefox 113. The only way I have to get back to my previous setup is with a complete restore of the C: drive. I don't see how a merge could have happened.

I have done the restore process three times now, under the same conditions with the same result. As you might guess, restoring my C: drive with an old image is very disruptive to my current work.

Let me state that none of the issues you bring up — even if they were true — explain why Portable Roboform only got updated with the Firefox 113 to 114 upgrade. As you stated above from my logs, my existing Portable Roboform extension has been the same since at least 2019 and I've upgraded Firefox many times since then with no problem until now.

To pinpoint the issue, could you follow the following steps:

  1. Quit Firefox.
  2. Restore the Firefox profile from your backup.
  3. Create a file called user.js in your profile directory, with the following content:
user_pref("extensions.logging.enabled", true);
  1. Start Firefox
  2. Open the Browser Console (Ctrl-Shift-J)
  3. Right-click in the console to open the context menu, and click the "Save all Messages to File" menu item.
  4. Quit Firefox.
  5. Optional cleanup: delete the user.js file.

Share the following files with me:

  • console-export-(timestamp).txt, e.g. console-export-2023-6-16_23-22-48.txt
  • from the profile directory:
    • addons.json
    • addonStartup.json.lz4
    • extensions.json
    • extensions/rf-firefox@siber.com.xpi (or the whole extensions/ directory, there is no sensitive data there)

OK. I probably won't be able to get to it before Monday at the earliest.

Could it be that the issue is merely a broken Roboform extension, without there having been any update of Roboform at all? The "Roboform extension" does rely on a native component (provided by Portable Roboform?).

In Firefox 114, there was a regression that prevented extensions from communicating with some native apps on Windows. I have fixed the issue in bug 1835790 and bug 1837830, which is scheduled to be released as part of Firefox 114.0.2 next week.

To determine which of the bugs is causing your issue, locate the JSON file containing the registration of the native manifest (developer documentation here):

  1. Run regedit
  2. Look for a reference to a JSON file at any of the following paths:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\NativeMessagingHosts\com.siber.roboform
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\NativeMessagingHosts\com.siber.roboform
  3. Share the file that you found here.
    • If the file has a "path" line containing .., then it is bug 1837830. Otherwise it may potentially be bug 1835790.

This is the rf-firefox-nm-host.json file requested by Robert Wu in comment 16 (https://bugzilla.mozilla.org/show_bug.cgi?id=1837863#c16 ).

(In reply to Rob Wu [:robwu] from comment #16)

To determine which of the bugs is causing your issue, locate the JSON file containing the registration of the native manifest (developer documentation here):

  1. Run regedit
  2. Look for a reference to a JSON file at any of the following paths:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\NativeMessagingHosts\com.siber.roboform
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\NativeMessagingHosts\com.siber.roboform
  3. Share the file that you found here.
    • If the file has a "path" line containing .., then it is bug 1837830. Otherwise it may potentially be bug 1835790.

Yup, the line is "path": "../Chrome/rf-chrome-nm-host.exe"

This contains the message log file and extensions data requested by Robert Wu in comment 14 (https://bugzilla.mozilla.org/show_bug.cgi?id=1837863#c14 ).

(In reply to Rob Wu [:robwu] from comment #14)

Share the following files with me:

I have uploaded the requested files.

(In reply to goa_bugzilla from comment #18)

(In reply to Rob Wu [:robwu] from comment #16)

  1. Look for a reference to a JSON file at any of the following paths:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\NativeMessagingHosts\com.siber.roboform
    • HKEY_CURRENT_USER\SOFTWARE\Mozilla\NativeMessagingHosts\com.siber.roboform
  2. Share the file that you found here.
    • If the file has a "path" line containing .., then it is bug 1837830. Otherwise it may potentially be bug 1835790.

Yup, the line is "path": "../Chrome/rf-chrome-nm-host.exe"

This confirms that the issue is bug 1837830. Please wait a few days for the publication of Firefox 114.0.2.

If you cannot wait that much, and the path to the native host is fixed, you can consider editing the file and replacing path with an absolute path, e.g. C:/path/to/Chrome/rf-chrome-nm-host.exe

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1837830
Resolution: --- → DUPLICATE

(In reply to Rob Wu [:robwu] from comment #21)

This confirms that the issue is bug 1837830. Please wait a few days for the publication of Firefox 114.0.2.

Firefox 114.0.2 fixes my problem with the Portable Roboform extension being updated erroneously. You may close this bug.

Thank you for your help!

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: