[wix-devs] Unexpected issue with redirect

Blair Murri osito at live.com
Fri Aug 16 12:20:19 PDT 2019 

Since the end user installing doesn't supply the URL, I'm at a loss as to what the security implications are of redirecting from http to https if the domain is the same.

Get Outlook for Android<https://aka.ms/ghei36>

________________________________
From: wix-devs <wix-devs-bounces at lists.wixtoolset.org> on behalf of Hoover, Jacob via wix-devs <wix-devs at lists.wixtoolset.org>
Sent: Friday, August 16, 2019 10:27:30 AM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Cc: Hoover, Jacob <Jacob.Hoover at greenheck.com>
Subject: Re: [wix-devs] Unexpected issue with redirect

Looks like we could support this, but not certain if we should if the user has chosen to enable the policy.

Doing it up front seems to be simple, using InternetQueryOption for INTERNET_OPTION_SECURITY_FLAGS, then adding SECURITY_FLAG_IGNORE_REDIRECT_TO_HTTPS to the flags and assigning it back.

Allowing the user to do this via a prompt (the recommended way: https://docs.microsoft.com/en-us/windows/win32/wininet/security-guidelines ), is way more convoluted.  From what I can glean from the limited documentation, we would need to respond to the error returned from HttpSendRequestW, then prompt the user via InternetConfirmZoneCrossing.  Sadly, I can find exactly 0 examples on the proper usage of this method.  (I could guess that I would call it, and if it returns ERROR_SUCCESS then set the needed security flags and resend the request.)

-----Original Message-----
From: wix-devs [mailto:wix-devs-bounces at lists.wixtoolset.org] On Behalf Of Hoover, Jacob via wix-devs
Sent: Friday, August 16, 2019 10:34 AM
To: WiX Toolset Developer Mailing List <wix-devs at lists.wixtoolset.org>
Cc: Hoover, Jacob <Jacob.Hoover at greenheck.com>
Subject: [wix-devs] Unexpected issue with redirect

I have a MsiPackage in my bundle which uses the Payload/@DownloadUrl over HTTP.  I recently migrated this content from a private server to Azure, and updated the web server to redirect the bundle to the new location.  WinINet seems to have an issue when I redirect from HTTP to HTTPS if the user has the IE/WinINet option turned on ( Tools -> Internet Options -> Advanced -> Security and look for the "Warn if changing between secure and non secure mode" setting at the bottom of the form. )

With this turned on, my bundle fails with:
[3ED4:3E20][2019-08-16T10:20:54]i338: Acquiring package: X, payload: X, download from: http://...
[3ED4:3E20][2019-08-16T10:20:54]e000: Error 0x80072f07: Failed to send request to URL: http://....msi, trying to process HTTP status code anyway.
[3ED4:3E20][2019-08-16T10:20:54]e000: Error 0x80072f76: Failed attempt to download URL: 'http://...' to: 'C:\Users\Y\AppData\Local\Temp\...'

>From http://errco.de/win32/winerror-h/wininet_e_http_to_https_on_redir/0x80072f07/, A redirect request will change a non-secure to a secure connection.

And http://errco.de/win32/winerror-h/wininet_e_header_not_found/0x80072f76/, The requested header was not found

While I could dig into burn and attempt to disable this option for the bundle, my fear is that if I disable this option then the valid use case for the error of HTTPS -> HTTP would be disabled.


Ref: https://social.technet.microsoft.com/Forums/en-US/e3179ec9-5460-43b7-a47f-6f941b82a377/sharepoint-server-2016-prerequisitesinstallerexe-error-install-microsoft-odbc-driver-11-for-sql?forum=SP2016

Thanks,
Jacob

____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant http://www.firegiant.com/
NOTE: This email was received from an external source. Please use caution when opening links or attachments in the message.
____________________________________________________________________
WiX Toolset Developer Mailing List provided by FireGiant http://www.firegiant.com/

More information about the wix-devs mailing list