Closed Bug 667341 Opened 13 years ago Closed 13 years ago

Manual uninstallation of DivX extensions disabled by "portable" FF 5 installation

Categories

(Toolkit :: Add-ons Manager, enhancement)

Product:
Toolkit
Component:
Add-ons Manager
Platform:
x86
Windows 7
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 640775

People

(Reporter: hmdmhdfmhdjmzdtjmzdtzktdkztdjz, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.100 Safari/534.30
Build Identifier: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0

FF5 disables the DivX add-ons. In a "portable" version I got no "uninstall" button, because the add-ons don't reside in the "portable" global or user profile extensions folders. BTW, it would be nice if FF reports where *exactly* (path) it finds add-ons. Using the extension IDs reported by the FF troubleshooting page, and using regedit I finally understood what's going on: On windows 7 DivX is installed, DivX created HKLM\SOFTWARE\Wow6432Node\Mozilla\Firefox\Extensions entries, and the "portable" FF5 (started on this windows 7 box for the first time for a quick 4.0.1 to 5.0 upgrade) told me that it disabled the DivX extensions.

So far it's okay. But what if some malware creates "Firefox" registry entries waiting for a "portable" FF to attach whatever it finds, as long as it's not known to be incompatible and disabled? Is this a potential security loophole in the FF upgrade/reinstall procedure? Clearly it surprised me, starting with the missing "uninstall" buttons.

Reproducible: Didn't try

Steps to Reproduce:
1. Install a portable FF 4.0.1 on a USB stick (without any DivX add-ons) 
2. Install DivX on a windows box without Firefox (no FF in the registry)
3. Insert USB stick on this box, upgrade "portable" Firefox to FF 5.0
4. Find unexpected "disabled" DivX extensions not existing on USB-stick
5. Delete registry entries manually, write an essay disguised as bug report

Actual Results:  
Disabled DivX extensions without uninstall buttons, and hard to find recipes how to locate profile folders and get rid of obscure stuff (not exactly matching this case, but helpful).

Expected Results:  
No DivX extensions (only Firefox should install extensions, not 3rd parties)

-OR-
 
Extensions with uninstall buttons: Any FF using these registry keys is also entitled to delete them, and v.v.


Issue submitted as "ENH", but just in case I flagged it as "hidden". Ideally my security concerns are patent nonsense, please simply remove the "hidden" attribute if that's the case.
Group: core-security
Component: Security → General
QA Contact: firefox → general
Component: General → Add-ons Manager
Product: Firefox → Toolkit
QA Contact: general → add-ons.manager
I'm not sure what the bug is that you're reporting. Is it that you are unable to uninstall globally installed add-ons (bug 640775)? Or is it that portable Firefox shouldn't be using globally installed add-ons (a bug in portable Firefox)?
Reporter, if you do not wish that Firefox is using globally installed add-ons you will have to exclude those via the 'extensions.enabledScopes' preference. In case of the portable version of Firefox you only want to load extensions from within the profile. So the mentioned pref above should be set to 5.

In case of this report it sounds invalid to me. Globally installed addons cannot be uninstalled by yourself because you don't have the permissions. That's why the uninstall button is not visible.
@Dave: I reported a feature "with a high astonishment factor". As you said bug 640775 already covers one aspect of my issue, but the second point (portable FF should not silently attach to anything it finds on a host) is also important.

@Henrik: Thanks, IIRC I never modified this setting, maybe its default value is not as it should be for a portable installation. 

I disagree with your conclusion, I have all ordinary windows 7 admin rights and should be able to remove cruft in an FF registry key added by a third party directly (without regedit). IMO add-ons are the territory of users, only extensions added by users within FF should be used, not any "ware" added by third parties outside of FF.
(In reply to comment #3)
> @Dave: I reported a feature "with a high astonishment factor". As you said
> bug 640775 already covers one aspect of my issue, but the second point
> (portable FF should not silently attach to anything it finds on a host) is
> also important.

Then we should close this bug out. The part about not being able to uninstall is covered by bug 640775, the part about Portable Firefox not using global add-ons is a bug to file with whoever maintains portable Firefox. They can fix it using the preference that henrik mentioned.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Makes sense, thanks.
You need to log in before you can comment on or make changes to this bug.