rollback_allowed breaks the server (lacks support for protocol V3.1?)

[thebabush]

I'm testing some of the update-related policies for Brave, and in order to do that I tried to downgrade.

However, the server returns a "Bad Request" when rollback_allowed="true" in <updatecheck/>.

Example:

curl --verbose \
  'https://updates.bravesoftware.com/service/update2' \
  --data '<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.361.111" shell_version="1.3.361.111" ismachine="1" sessionid="XXX" installsource="update3web-ondemand" testsource="auto" requestid="XXX" periodoverridesec="1920" dedup="cr" domainjoined="1"><hw physmemory="8" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="XXX" sp="" arch="x64"/><app appid="{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}" version="99.1.36.122" nextversion="" ap="x64-rel" lang="" brand="GGLS" client="" installage="0" installdate="5565"><updatecheck rollback_allowed="true" targetversionprefix="99.1.36.122"/><ping rd="5566" ping_freshness="XXX"/></app></request>'

^ This fails

curl --verbose \
  'https://updates.bravesoftware.com/service/update2' \
  --data '<?xml version="1.0" encoding="UTF-8"?><request protocol="3.0" updater="Omaha" updaterversion="1.3.361.111" shell_version="1.3.361.111" ismachine="1" sessionid="XXX" installsource="update3web-ondemand" testsource="auto" requestid="XXX" periodoverridesec="1920" dedup="cr" domainjoined="1"><hw physmemory="8" sse="1" sse2="1" sse3="1" ssse3="1" sse41="1" sse42="1" avx="1"/><os platform="win" version="XXX" sp="" arch="x64"/><app appid="{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}" version="99.1.36.122" nextversion="" ap="x64-rel" lang="" brand="GGLS" client="" installage="0" installdate="5565"><updatecheck targetversionprefix="99.1.36.122"/><ping rd="5566" ping_freshness="XXX"/></app></request>'

^ This works

Updater protocol reference: LINK

P.S.: I would gladly avoid rollbacks, but instances of brave installed from a standalone installer don't seem to be able to update correctly. (EDIT: I might have downloaded a non-release setup.exe, so this might be on me)

[mherrmann]

Hi, we're using version 3 of the server protocol (not 3.1), which does not include a rollback_allowed attribute.

[thebabush]

Ok, I will close this. Just know that Brave can be configured so as to ask for a rollback.

[mherrmann]

I see. I thought you were just simulating requests with curl. The spec for 3.0 does not include rollback_allowed. But apparently it still gets sent by Google's later implementation. I'm reopening this for the future. If you have reproducible cases where Brave is not able to auto-update, then I would be very interested to hear about them.

[thebabush]

Yeah sorry, I should have made it clearer.

I bumped into this when messing with Brave Update Policies.

To reproduce:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\BraveSoftware\Update]
"AutoUpdateCheckPeriodMinutes"=dword:0000003c
"UpdateDefault"=dword:00000001
"RollbackToTargetVersion{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}"=dword:00000001
"TargetVersionPrefix{AFE6A462-C574-4B8A-AF43-4CC60DF4563B}"="98."

These policies apply only if your Windows machine is attached to a Domain (found out reading the source of Omaha).
However, you can set this to bypass the domain check:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\BraveSoftware]

[HKEY_LOCAL_MACHINE\SOFTWARE\BraveSoftware\UpdateDev]
"IsEnrolledToDomain"=dword:00000001

NOTE: Windows has a stupid way of handling registry keys for 32 bit programs running on x64. So you need to apply the latter .reg file using something like \Windows\SysWOW64\regedit.exe "%CD%\ForceIsEnrolledToDomain.reg" (or just manually add the key using normal regedit, but use path HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\UpdateDev).

[mherrmann]

Thank you for clarifying!