Http proxy basic authentication on windows

[sylvlecl]

This is a proposition to solve the issue reported in this discussion.

Instead of just providing the content of HTTPS_PROXY environment variable, we now parse it to extract proxy credentials, then provide it to WinHTTP API (which is not as simple as one could expect).

I've been able to validate the behaviour in a test environment with a squid proxy.

Notes

• use of regex may be overkill ...
• In order to have the whole chain working, this would need to be ported to C executable tls12-download. Otherwise, windows users behind a proxy still need to download vcpkg.exe without the bootstrap script

[sylvlecl]

@microsoft-github-policy-service agree company="RTE"

[guilpier-code]

I tried it and it worked.
Good job !
For hours I tried to make it work, even trying to involve my company's IT.
Thanks, it's being of great help

[BillyONeal]

1. Parsing URIs with regex is notoriously difficult and I'm not convinced that there wouldn't be ways to exploit this.
2. We've tried really really hard to break the std::regex dependency entirely because all the std::regex implementations are awful.

Perhaps this means we should be looking at deploying something like trurl?

[sylvlecl]

Thank you for the feedback!
Actually here it should be pretty easy to use simple string search instead of regex. I can implement this.

For "deploying trurl", would you mean adding a dependency to libcurl, on which trurl seems to rely behind the scene?
But I'm not sure it's easy to use on windows. I guess in that case it would make sense to completely rely on libcurl for the download.
Or do you mean something else, like requiring the user to install trurl in addition to vcpkg.exe?

[sylvlecl]

I removed the regex use in last commit, to use only basic string searches.

[BillyONeal]

• In order to have the whole chain working, this would need to be ported to C executable tls12-download. Otherwise, windows users behind a proxy still need to download vcpkg.exe without the bootstrap script

tls12-download needs to be very very tiny in order to do its job since it needs to be checked in. Customers in this condition can manually download a vcpkg.exe with any browser they want.

[BillyONeal]

It seems like this should at least contain all the forms in the RFC: https://www.rfc-editor.org/rfc/rfc3986#section-1.1.2

[BillyONeal]

This seems incorrect as the password separator, if present, must be inside the userinfo. Perhaps the STL algorithm form would be clearer since it makes chopping ranges into subranges like this easy:

auto user_info_end = std::find(remaining_parts.begin(), remaining_parts.end(), '@');
if (user_info_end != remaining_parts.end()) {
    auto password_separator = std::find(remaining_parts.begin(), user_info_end, ':');
    if (password_separator != user_info_end) {
        auto password_start = password_separator + 1;
        credentials = ProxyCredentials{std::wstring(remaining_parts.begin(), password_separator - remaining_parts.begin()),
        std::wstring(password_start, user_info_end - password_start)};
    }
}

Also, you want the character finds (L'@') not string finds (L"@").

[BillyONeal]

I think it would be a good idea to make the parsing stuff etc. use chars rather than wchar_ts making that parsing code consistent with all other parsing code in the product.

[BillyONeal]

Please use StringView rather than std::wstring_view as we don't want to add a dependency on a new C++17 feature in order to have this. (Note that this would also require the char* rather than wchar_t* suggestion below)

[BillyONeal]

This leaks a T if that new throws. Can you just use unique_ptr please?

[BillyONeal]

DWORD_PTR is a pointer-sized variable itself. It models uintptr_t not uintptr_t*. You should be able to pass T* directly.

[BillyONeal]

Given that this data is tied to the lifetime of the request, is there any reason we don't just use an ordinary member variable and pass reinterpret_cast<DWORD_PTR>(this) for that?

Then set_proxy_credentials_on_redirect does reinterpret_cast<WinHttpRequest*>(pContext)->any data you want.

[BillyONeal]

It seems very concerning to me to just arbitrarily staple basic auth creds when a redirect happens, in particular because basic auth is not safe to use without TLS. So if there is TLS for the first request, and that redirects to a not TLS place, stapling creds on again leaked the creds to the whole internet.

This kind of thing makes me extremely nervous to take this change. Perhaps the right behavior is that if we see proxy stuff that looks like it needs auth to always use curl.exe instead...

[sylvlecl]

I understand your concerns, I am clearly not a security expert. For sure relying on a proven solution would be more comfortable.

For the case you describe, I don't think this can happen: from my company network, the redirected request will go through the proxy again (it cannot go to the internet without going through the proxy), and I assume the proxy removes the credentials from the transferred request.

[sylvlecl]

Indeed curl.exe seems to be widely present on windows at least in developer environments (comes with git), so it may be reasonable to rely on it!

[BillyONeal]

We already rely on it all over the place :)

[sylvlecl]

Ok, so I understand that just changing that condition (= use winhttp only if there are no headers, else use curl), to use curl also when we have credentials in the URL, would be the best solution ?

vcpkg-tool/src/vcpkg/base/downloads.cpp

Line 764 in fb6c0b5

if (headers.size() == 0)

[sylvlecl]

See alternative proposition based on this idea in #1434 : we can close this PR if it is indeed a better way to go.

[BillyONeal]

Closing this PR because #1434 was merged and fixes the problem. Thanks!