Bug 491543

Summary: Firefox is reenabling disabled plugins
Product: [Fedora] Fedora Reporter: Bruno Wolff III <bruno>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: agk, chkr, gecko-bugs-nobody, stransky, walters
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-28 07:32:30 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Bruno Wolff III 2009-03-22 16:36:33 EDT
Description of problem:
When firefox is started it re-enables plugins that have been disabled. This is especially concerning because it adds links to a directory that appears to only be writeable by root.

Version-Release number of selected component (if applicable):
firefox-3.1-0.7.beta2.fc11.i586

How reproducible:
Seems to be 100%

Steps to Reproduce:
1.Shut down firefox
2./usr/bin/mozilla-plugin-config -r
3.ls /usr/lib/mozilla/plugins-wrapped
4.start firefox
5.ls /usr/lib/mozilla/plugins-wrapped
  
Actual results:
The second ls lists:
gecko-mediaplayer-dvx.so               libtotem-cone-plugin.so
gecko-mediaplayer-qt.so                libtotem-gmp-plugin.so
gecko-mediaplayer-rm.so                libtotem-mully-plugin.so
gecko-mediaplayer.so                   libtotem-narrowspace-plugin.so
gecko-mediaplayer-wmp.so               libvlcplugin.so
libgnashplugin.so                      npwrapper.so
libjavaplugin.so                       xine-logo.ogg
librhythmbox-itms-detection-plugin.so  xineplugin.so
libswfdecmozilla.so

Expected results:
When it should just show:
npwrapper.so

Additional info:
/usr/bin/mozilla-plugin-config needs to be run as root to work.
Comment 1 Matěj Cepl 2009-04-08 04:16:41 EDT
Thanks for the bug report.  We have reviewed the information you have provided above, and there is some additional information we require that will be helpful in our diagnosis of this issue.

First of all, could we get output of the command

	rpm -qa *xulrun* *firefox* *mozilla* *flash* *plugin*

Do you use nspluginwrapper (it is default in all Fedoras)? If so, then your ls command is not conclusive. Could we get please output of the command

mozilla-plugin-config -l

pasted here into a comment?

We will review this issue again once you've had a chance to attach this information.

Thanks in advance.
Comment 2 Bruno Wolff III 2009-04-08 15:45:12 EDT
I am not sure what you mean by "use" nspluginwrapper? I don't believe I have disabled it. However my intention is not to run any plugins with firefox. If it isn't an image, text, html, xml, xhtml or css I want it to offer a download, not try to run an app to process the object. So in that sense I shouldn't be using it.

[root@cerberus bruno]# rpm -qa *xulrun* *firefox* *mozilla* *flash* *plugin*
claws-mail-plugins-vcalendar-3.7.1-2.fc11.x86_64
totem-mozplugin-2.26.1-2.fc11.x86_64
gnumeric-plugins-extras-1.8.4-1.fc11.x86_64
plymouth-plugin-pulser-0.7.0-0.2009.03.10.2.fc11.x86_64
gstreamer-plugins-schroedinger-1.0.6-1.fc11.x86_64
xfce4-timer-plugin-0.6.1-3.fc11.x86_64
yum-plugin-list-data-1.1.21-2.fc11.noarch
gstreamer-plugins-bad-0.10.11-3.fc11.x86_64
gstreamer-plugins-ugly-0.10.11-1.fc11.x86_64
gstreamer-plugins-base-devel-0.10.22-2.fc11.x86_64
xfce4-eyes-plugin-4.4.0-6.fc11.x86_64
xfce4-smartbookmark-plugin-0.4.2-8.fc11.x86_64
xfce4-websearch-plugin-0.1.1-0.10.20070428svn2704.fc11.x86_64
xfce4-time-out-plugin-0.1.1-3.fc11.x86_64
gutenprint-plugin-5.2.3-5.fc11.x86_64
xfce4-diskperf-plugin-2.2.0-3.fc11.x86_64
thunar-media-tags-plugin-0.1.2-6.fc11.x86_64
audacious-plugins-freeworld-mp3-1.5.1-2.fc11.x86_64
yum-plugin-protect-packages-1.1.21-2.fc11.noarch
xine-plugin-1.0.2-2.fc11.x86_64
thunar-archive-plugin-0.2.4-6.fc11.x86_64
xfce4-xfapplet-plugin-0.1.0-8.fc11.x86_64
xfce4-mpc-plugin-0.3.3-3.fc11.x86_64
audacious-plugins-freeworld-aac-1.5.1-2.fc11.x86_64
xfce4-dict-plugin-0.5.2-3.fc11.x86_64
xfce4-cpugraph-plugin-0.4.0-5.fc11.x86_64
xfce4-weather-plugin-0.6.2-5.fc11.x86_64
plymouth-plugin-label-0.7.0-0.2009.03.10.2.fc11.x86_64
yum-plugin-protectbase-1.1.21-2.fc11.noarch
plymouth-plugin-fade-in-0.7.0-0.2009.03.10.2.fc11.x86_64
xfce4-notes-plugin-1.6.4-1.fc11.x86_64
alsa-plugins-pulseaudio-1.0.18-3.fc11.i586
vamp-plugin-sdk-2.0-5.fc11.x86_64
swfdec-mozilla-0.9.2-2.fc11.x86_64
plymouth-plugin-solar-0.7.0-0.2009.03.10.2.fc11.x86_64
mozilla-filesystem-1.9-4.fc11.x86_64
xfce4-fsguard-plugin-0.4.2-3.fc11.x86_64
audacious-plugins-freeworld-tta-1.5.1-2.fc11.x86_64
nspluginwrapper-1.3.0-5.fc11.x86_64
maven2-plugin-release-2.0.4-11.19.fc11.x86_64
gstreamer-plugins-farsight-0.12.10-2.fc11.x86_64
xfce4-xkb-plugin-0.5.2-3.fc11.x86_64
mythplugins-0.22-0.2.svn.r20293.fc11.x86_64
xfce4-sensors-plugin-0.10.99.6-4.fc11.x86_64
trac-mercurial-plugin-0.11.0.7-2.20090205svn7817.fc11.noarch
allegro-jack-plugin-4.2.2-12.fc11.x86_64
gnash-plugin-0.8.5-3.fc11.x86_64
firefox-3.1-0.11.beta3.fc11.x86_64
nagios-plugins-game-1.4.13-14.fc11.x86_64
plymouth-plugin-spinfinity-0.7.0-0.2009.03.10.2.fc11.x86_64
allegro-esound-plugin-4.2.2-12.fc11.x86_64
mozilla-vlc-1.0.0-0.1pre1.fc11.x86_64
xulrunner-devel-1.9.1-0.11.beta3.fc11.x86_64
audacious-plugins-freeworld-mms-1.5.1-2.fc11.x86_64
gstreamer-plugins-good-0.10.14-2.fc11.x86_64
yum-plugin-priorities-1.1.21-2.fc11.noarch
crossfire-plugins-1.11.0-3.fc11.x86_64
xfce4-clipman-plugin-0.9.1-1.fc11.x86_64
xfce4-systemload-plugin-0.4.2-6.fc11.x86_64
yum-plugin-versionlock-1.1.21-2.fc11.noarch
PackageKit-yum-plugin-0.4.6-2.fc11.x86_64
xfce4-mailwatch-plugin-1.1.0-3.fc11.x86_64
xfce4-wavelan-plugin-0.5.4-6.fc11.x86_64
maven-shared-plugin-testing-harness-1.0-5.7.fc11.x86_64
xfce4-datetime-plugin-0.6.1-3.fc11.x86_64
xfce4-places-plugin-1.1.0-5.fc11.x86_64
xulrunner-1.9.1-0.11.beta3.fc11.x86_64
xfce4-battery-plugin-0.5.1-2.fc11.x86_64
gstreamer-plugins-flumpegdemux-0.10.15-6.fc11.x86_64
yum-plugin-allowdowngrade-1.1.21-2.fc11.noarch
audacious-plugins-freeworld-wma-1.5.1-2.fc11.x86_64
gedit-plugins-2.22.3-4.fc11.x86_64
plymouth-system-plugin-0.7.0-0.2009.03.10.2.fc11.x86_64
anaconda-yum-plugins-1.0-4.fc11.noarch
alsa-plugins-pulseaudio-1.0.18-3.fc11.x86_64
allegro-arts-plugin-4.2.2-12.fc11.x86_64
yum-plugin-merge-conf-1.1.21-2.fc11.noarch
java-1.6.0-openjdk-plugin-1.6.0.0-19.b14.fc11.x86_64
audacious-plugins-freeworld-1.5.1-2.fc11.x86_64
thunar-shares-plugin-0.2.0-1.fc11.x86_64
yum-plugin-remove-with-leaves-1.1.21-2.fc11.noarch
xulrunner-python-1.9.1-0.11.beta3.fc11.x86_64
xfce4-verve-plugin-0.3.6-3.fc11.x86_64
xfce4-mount-plugin-0.5.5-3.fc11.x86_64
kipi-plugins-0.2.0-2.fc11.x86_64
xfce4-screenshooter-plugin-1.5.1-1.fc11.x86_64
yum-plugin-keys-1.1.21-2.fc11.noarch
xfce4-genmon-plugin-3.2-3.fc11.x86_64
yum-plugin-upgrade-helper-1.1.21-2.fc11.noarch
trac-git-plugin-0.0.1-8.20070705svn1536.fc11.noarch
gstreamer-plugins-base-0.10.22-2.fc11.x86_64
setroubleshoot-plugins-2.0.15-1.fc11.noarch
yum-plugin-verify-1.1.21-2.fc11.noarch
xfce4-quicklauncher-plugin-1.9.4-4.fc11.x86_64
konq-plugins-4.2.2-1.fc11.x86_64
audacious-plugins-1.5.1-3.fc11.x86_64
qmmp-plugins-freeworld-0.2.3-3.fc11.x86_64
audacious-plugins-freeworld-alac-1.5.1-2.fc11.x86_64
xfce4-netload-plugin-0.4.0-9.fc11.x86_64
nagios-plugins-1.4.13-14.fc11.x86_64
gstreamer-plugins-bad-extras-0.10.11-3.fc11.x86_64
gstreamer-plugins-good-devel-0.10.14-2.fc11.x86_64

[root@cerberus bruno]# mozilla-plugin-config -l
EXCLUDE_WRAP:
libtotem*
libjavaplugin*
gecko-mediaplayer*
mplayerplug-in*
librhythmbox*
EXCLUDE_LINK:

File/Link /usr/lib/mozilla/plugins-wrapped/libnpg.so
File/Link /usr/lib/mozilla/plugins-wrapped/libpbr.so
/usr/lib64/mozilla/plugins-wrapped/nswrapper_64_64.libswfdecmozilla.so
  Original plugin: /usr/lib64/mozilla/plugins/libswfdecmozilla.so
  Wrapper version string: X (1.3.0)
File/Link /usr/lib64/mozilla/plugins-wrapped/libtotem-gmp-plugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/libtotem-cone-plugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/xine-logo.ogg
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer-rm.so
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer-wmp.so
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer-qt.so
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer-dvx.so
File/Link /usr/lib64/mozilla/plugins-wrapped/libjavaplugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/libtotem-narrowspace-plugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/libtotem-mully-plugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/librhythmbox-itms-detection-plugin.
so
/usr/lib64/mozilla/plugins-wrapped/nswrapper_64_64.xineplugin.so
  Original plugin: /usr/lib64/mozilla/plugins/xineplugin.so
  Wrapper version string: X (1.3.0)
/usr/lib64/mozilla/plugins-wrapped/nswrapper_64_64.libvlcplugin.so
  Original plugin: /usr/lib64/mozilla/plugins/libvlcplugin.so
  Wrapper version string: X (1.3.0)
/usr/lib64/mozilla/plugins-wrapped/nswrapper_64_64.libgnashplugin.so
  Original plugin: /usr/lib64/mozilla/plugins/libgnashplugin.so
  Wrapper version string: X (1.3.0)
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer.so
/usr/lib64/mozilla/plugins-wrapped/nswrapper_64_64.libswfdecmozilla.so
  Original plugin: /usr/lib64/mozilla/plugins/libswfdecmozilla.so
  Wrapper version string: X (1.3.0)
File/Link /usr/lib64/mozilla/plugins-wrapped/libtotem-gmp-plugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/libtotem-cone-plugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/xine-logo.ogg
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer-rm.so
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer-wmp.so
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer-qt.so
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer-dvx.so
File/Link /usr/lib64/mozilla/plugins-wrapped/libjavaplugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/libtotem-narrowspace-plugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/libtotem-mully-plugin.so
File/Link /usr/lib64/mozilla/plugins-wrapped/librhythmbox-itms-detection-plugin.
so
/usr/lib64/mozilla/plugins-wrapped/nswrapper_64_64.xineplugin.so
  Original plugin: /usr/lib64/mozilla/plugins/xineplugin.so
  Wrapper version string: X (1.3.0)
/usr/lib64/mozilla/plugins-wrapped/nswrapper_64_64.libvlcplugin.so
  Original plugin: /usr/lib64/mozilla/plugins/libvlcplugin.so
  Wrapper version string: X (1.3.0)
/usr/lib64/mozilla/plugins-wrapped/nswrapper_64_64.libgnashplugin.so
  Original plugin: /usr/lib64/mozilla/plugins/libgnashplugin.so
  Wrapper version string: X (1.3.0)
File/Link /usr/lib64/mozilla/plugins-wrapped/gecko-mediaplayer.so
Comment 3 Matěj Cepl 2009-04-10 08:21:30 EDT
(In reply to comment #2)
> I am not sure what you mean by "use" nspluginwrapper? I don't believe I have
> disabled it. However my intention is not to run any plugins with firefox. If it
> isn't an image, text, html, xml, xhtml or css I want it to offer a download,
> not try to run an app to process the object. So in that sense I shouldn't be
> using it.

OK, that makes sense (kind of). I will investigate this further, but for now, I think the best workaround I can suggest to you is to switch off all plugins in NoScript (being paranoid as you seem to be you have Noscript installed, right?; no offense meant, of course).

Matej
Comment 4 Matěj Cepl 2009-04-10 08:35:22 EDT
This link might be of interest
http://forums.mozillazine.org/viewtopic.php?p=2625151
Comment 5 Bruno Wolff III 2009-04-10 09:46:50 EDT
No, I tried noscript and didn't like it. I now am just turning it on and off manually, as there are only a few places I need it on for.
What I did in the short run is uninstall the flash players. I didn't really use them, but I don't think I should have to uninstall stuff to disable it.
It was more of a concern to me that netscape could change this stuff, as it is changing things in a global place that should require root access to change. In particular these were executable code. It may be that there are some safeguards, but it's hard to tell without knowing how the change is being made.
In the long run I'll probably switch browsers. What I like about it is the proportional fonts that make reading easier than say something like lynx. But the crappy security handling of plugins and certificates is motivating me to look at other open source browsers; I just have other stuff to do right now.
Comment 6 Martin Stransky 2009-04-10 10:29:43 EDT
You can disable plug-ins in Firefox menu. Tools -> Add-ons -> Plugins tab -> Disable. Or remove unused plugins from /usr/lib64/mozilla/plugins.
Comment 7 Bruno Wolff III 2009-04-10 10:57:09 EDT
The bug is about Firefox reenabling plugins when it is run, without asking and especially badly, being run without root access. (Though there may be some policykit or console kit permission that facilitates this.)
So having a way to disable plugins in firefox doesn't really solve the issue.
Comment 8 Martin Stransky 2009-04-11 03:23:51 EDT
It's not a bug, it's a feature and I worked hard to get this mechanism to perform smoothly. mozilla-plugin-config is a SUID application so it doesn't need to be run by root.

Anyway, if you believe the mechanism is wrong, please submit your solution how it should work.
Comment 9 Bruno Wolff III 2009-04-11 14:08:57 EDT
Well it's a security issue since you are allowing an ordinary user to control which code might be run by other users. I think it's low risk, but they shouldn't be able to just do this. Is there a policykit or consolekit control over whether someone can do this?

The other thing that is odd is that it just gets run. If someone disabled some plugins (using the same tool even) why would you want them automatically reenabled?

Also note that removing plugins from /usr/lib64/mozilla/plugins isn't the best solution as stuff there is typically managed by rpm. I shouldn't have to uninstall something (in normal cases) to keep it from being used. I might have some other program besides firefox that I want to use it with.
Comment 10 Bug Zapper 2009-06-09 08:30:13 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Bug Zapper 2010-04-27 09:17:41 EDT
This message is a reminder that Fedora 11 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 11.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '11'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 11's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 11 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 12 Bug Zapper 2010-06-28 07:32:30 EDT
Fedora 11 changed to end-of-life (EOL) status on 2010-06-25. Fedora 11 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.