Added --allow-unsecure-downloads option for HTTP downloads

[AmelBawa-msft]

By default only HTTPS URL are supported for downloads. Use the "--allow-unsecure-downloads" option to allow HTTP URLs.

Help message

PS C:\> wingetcreate new --help
...
  --allow-unsecure-downloads    Allow unsecure downloads (HTTP) for this operation.
...

Unsecure download

PS C:\> wingetcreate new http://mock
Downloading and parsing: http://mock...
Failed to download installer.
Only HTTPS URLs are supported without "--allow-unsecure-downloads"

Unsupported protocol

PS C:\> wingetcreate new ftp://mock
Downloading and parsing: ftp://mock...
Failed to download installer.
Only HTTPS URL are supported for downloads. Use the "--allow-unsecure-downloads" option to allow HTTP URLs.

Reference:

• http://task.ms/56305543

Microsoft Reviewers: Open in CodeFlow

[AmelBawa-msft]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[AmelBawa-msft]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[yao-msft]

I feel the security team will not be happy with this change. Is there a reason we allow http downloads? I remember winget only accepts https.

[mdanish-kh]

I feel the security team will not be happy with this change. Is there a reason we allow http downloads?

The title threw me off a bit as well where I thought we were explicitly adding support for HTTP where it previously wasn't :D But actually, currently wingetcreate supports both HTTP and HTTPS. This change makes it so that HTTP downloads aren't allowed by default, and one has to pass an explicit switch (which makes this a breaking change as well?)

I remember winget only accepts https

I don't think that's the case. Apparently there are still manifests with HTTP InstallerURLs in winget-pkgs. See https://github.com/search?q=repo%3Amicrosoft%2Fwinget-pkgs+InstallerUrl%3A+%2Fhttp%3A%2F&type=code. One example being package meew0.Lion which winget doesn't have a problem with (winget download meew0.Lion --version 1.0)

[yao-msft]

Ok, digging through my very ancient email threads. now I remember we "tried" to limit to https only but it affects a good portion of the packages in the repo. And since we have sha256 verification, we end up not doing the restriction.

[yao-msft]

I think a full fix (from security perspective) would be make this switch behind something like admin settings/group policy. But I don't know if we'll want to go that far. Anyway this is a good first step towards that.

[AmelBawa-msft]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[AmelBawa-msft]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).