Fix: S3 CORS headers missing for non-existent buckets (#8078)

Fix S3 CORS for non-existent buckets Enable fallback to global CORS configuration when a bucket is not found (s3err.ErrNoSuchBucket). This ensures consistent CORS behavior and prevents information disclosure.
2026-01-21 12:50:51 -08:00
parent 3f879b8d2b
commit 7d788ae73c
2 changed files with 6 additions and 3 deletions
--- a/weed/s3api/cors/middleware.go
+++ b/weed/s3api/cors/middleware.go
@@ -50,6 +50,9 @@ func (m *Middleware) getCORSConfig(bucket string) (*CORSConfiguration, bool) {
 		// No bucket config, proceed to fallback.
 	case s3err.ErrNoSuchCORSConfiguration:
 		// No bucket config, proceed to fallback.
+	case s3err.ErrNoSuchBucket:
+		// Bucket doesn't exist, proceed to fallback.
+		// This ensures we don't leak existence information and returning 403 vs 200.
 	default:
 		// Any other error means we should not proceed.
 		return nil, false
--- a/weed/s3api/cors/middleware_test.go
+++ b/weed/s3api/cors/middleware_test.go
@@ -358,10 +358,10 @@ func TestMiddlewareFallbackWithError(t *testing.T) {
 			description:          "Internal errors should not expose CORS headers",
 		},
 		{
-			name:                 "ErrNoSuchBucket should not trigger fallback",
+			name:                 "ErrNoSuchBucket should trigger fallback",
 			errCode:              s3err.ErrNoSuchBucket,
-			expectedOriginHeader: "",
-			description:          "Bucket not found errors should not expose CORS headers",
+			expectedOriginHeader: "https://example.com",
+			description:          "Bucket not found errors should expose CORS headers to prevent information disclosure",
 		},
 		{
 			name:                 "ErrNoSuchCORSConfiguration should trigger fallback",