Fix: S3 CORS headers missing for non-existent buckets (#8078)

Fix S3 CORS for non-existent buckets Enable fallback to global CORS configuration when a bucket is not found (s3err.ErrNoSuchBucket). This ensures consistent CORS behavior and prevents information disclosure.
2026-01-21 12:50:51 -08:00
parent 3f879b8d2b
commit 7d788ae73c
2 changed files with 6 additions and 3 deletions
--- a/weed/s3api/cors/middleware.go
+++ b/weed/s3api/cors/middleware.go
@@ -50,6 +50,9 @@ func (m *Middleware) getCORSConfig(bucket string) (*CORSConfiguration, bool) {
 		// No bucket config, proceed to fallback.
 	case s3err.ErrNoSuchCORSConfiguration:
 		// No bucket config, proceed to fallback.
+	case s3err.ErrNoSuchBucket:
+		// Bucket doesn't exist, proceed to fallback.
+		// This ensures we don't leak existence information and returning 403 vs 200.
 	default:
 		// Any other error means we should not proceed.
 		return nil, false