Skip to content

Added --allow-unsecure-downloads option for HTTP downloads #615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AmelBawa-msft merged 7 commits into from
Jul 16, 2025
Merged

Added --allow-unsecure-downloads option for HTTP downloads #615

AmelBawa-msft merged 7 commits into from
Jul 16, 2025

Conversation

@AmelBawa-msft
Copy link
Contributor

@AmelBawa-msft AmelBawa-msft commented Jul 12, 2025
edited
Loading

By default only HTTPS URL are supported for downloads. Use the "--allow-unsecure-downloads" option to allow HTTP URLs.

Help message

PS C:\> wingetcreate new --help
...
  --allow-unsecure-downloads    Allow unsecure downloads (HTTP) for this operation.
...

Unsecure download

PS C:\> wingetcreate new http://mock
Downloading and parsing: http://mock...
Failed to download installer.
Only HTTPS URLs are supported without "--allow-unsecure-downloads"

Unsupported protocol

PS C:\> wingetcreate new ftp://mock
Downloading and parsing: ftp://mock...
Failed to download installer.
Only HTTPS URL are supported for downloads. Use the "--allow-unsecure-downloads" option to allow HTTP URLs.

Reference:

Microsoft Reviewers: Open in CodeFlow

@AmelBawa-msft
Copy link
Contributor Author

AmelBawa-msft commented Jul 12, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jul 12, 2025

Azure Pipelines successfully started running 1 pipeline(s).

mdanish-kh
mdanish-kh reviewed Jul 13, 2025
View reviewed changes
@AmelBawa-msft
Copy link
Contributor Author

AmelBawa-msft commented Jul 16, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jul 16, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@yao-msft
Copy link

yao-msft commented Jul 16, 2025

I feel the security team will not be happy with this change. Is there a reason we allow http downloads? I remember winget only accepts https.

@mdanish-kh
Copy link
Contributor

mdanish-kh commented Jul 16, 2025
edited
Loading

I feel the security team will not be happy with this change. Is there a reason we allow http downloads?

The title threw me off a bit as well where I thought we were explicitly adding support for HTTP where it previously wasn't :D But actually, currently wingetcreate supports both HTTP and HTTPS. This change makes it so that HTTP downloads aren't allowed by default, and one has to pass an explicit switch (which makes this a breaking change as well?)

I remember winget only accepts https

I don't think that's the case. Apparently there are still manifests with HTTP InstallerURLs in winget-pkgs. See https://github.com/search?q=repo%3Amicrosoft%2Fwinget-pkgs+InstallerUrl%3A+%2Fhttp%3A%2F&type=code. One example being package meew0.Lion which winget doesn't have a problem with (winget download meew0.Lion --version 1.0)

@yao-msft
Copy link

yao-msft commented Jul 16, 2025

Ok, digging through my very ancient email threads. now I remember we "tried" to limit to https only but it affects a good portion of the packages in the repo. And since we have sha256 verification, we end up not doing the restriction.

JohnMcPMS
JohnMcPMS reviewed Jul 16, 2025
View reviewed changes
yao-msft
yao-msft approved these changes Jul 16, 2025
View reviewed changes
Copy link

@yao-msft yao-msft left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think a full fix (from security perspective) would be make this switch behind something like admin settings/group policy. But I don't know if we'll want to go that far. Anyway this is a good first step towards that.

@AmelBawa-msft
Copy link
Contributor Author

AmelBawa-msft commented Jul 16, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jul 16, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@AmelBawa-msft
Copy link
Contributor Author

AmelBawa-msft commented Jul 16, 2025

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Jul 16, 2025

Azure Pipelines successfully started running 1 pipeline(s).

@AmelBawa-msft AmelBawa-msft requested a review from yao-msft July 16, 2025 22:38
@AmelBawa-msft AmelBawa-msft merged commit a26ec29 into main Jul 16, 2025
5 checks passed
@AmelBawa-msft AmelBawa-msft deleted the user/amelbawa/tls branch July 16, 2025 22:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JohnMcPMS JohnMcPMS JohnMcPMS left review comments

@yao-msft yao-msft yao-msft approved these changes

+1 more reviewer

@mdanish-kh mdanish-kh mdanish-kh left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@AmelBawa-msft @yao-msft @mdanish-kh @JohnMcPMS