Uploaded image for project: 'Lucee Development'
  1. LDEV-1396

Default ACL for file operations on S3 must be "private"

    Details

    • Type: Bug
    • Status: Deployed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 5.2.2.60
    • Fix Version/s: 5.2.5.4, S3 0.9.4.114
    • Labels:
      None
    • Environment:

      Windows 10
      Lucee 5.2.2.60-SNAPSHOT

    • Sprint:
      September 2017 Sprint

      Description

      It looks like Lucee is setting file permissions on S3 to "public-read" by default, and in addition to this acl="private" attribute is simply ignored.

      I have set this.s3 attributes (accessKeyId and awsSecretKey) in Application.cfc

      s3ep = "s3-ap-southeast-2.amazonaws.com"; // we are in Sydney region
      bucketName = "privateBucket";
      fileName = "privateObject.txt";

      s3_fileName = "s3://" & bucketName & "/" & fileName;
      s3_fileLink = "https://" & s3ep & "/" & bucketName & "/" & fileName;

      fileWrite(s3_fileName, "test");

      // alternatively you can use following code with same results
      // file action="write" file=s3_fileName output="test" acl="private";
      // please note, that ACL=private attribute is simply ignored

      // Following line will fix permissions
      // storeSetACL(s3_fileName, "private");

      h = new http(method="get", url=s3_fileLink).send().getPrefix();
      writeOutput(h.fileContent);

      Obviously I should get "Access Denied" xml output with last line, but getting file content instead.

      Call to storeSetACL function right after file operation will fix the issue, but default permission on S3 object must be "private"!

        Attachments

          Activity

            People

            • Assignee:
              michaeloffner Michael Offner
              Reporter:
              dmitry Dmitry Yakhnov
            • Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: