gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f6a2ef11ff6cabb01bd0c36bac11cab8b93754d4
seaweedFS/weed
History
Chris Lu f6a2ef11ff Fix CORS headers not applied to non-existent bucket responses (#8070) 
Fixes #8065

Problem:
- CORS headers were only applied after checking bucket existence
- Non-existent buckets returned responses without CORS headers
- This caused CORS preflight failures and information disclosure vulnerability
- Unauthenticated users could infer bucket existence from CORS header presence

Solution:
- Moved CORS evaluation before bucket existence check in middleware
- CORS headers now applied consistently regardless of bucket existence
- Preflight requests succeed for non-existent buckets (matching AWS S3)
- Actual requests still return NoSuchBucket error but with CORS headers

Changes:
- Modified Handler() and HandleOptionsRequest() in middleware.go
- Added comprehensive test suite for non-existent bucket scenarios
- All 39 tests passing (31 existing + 8 new)

Security Impact:
- Prevents information disclosure about bucket existence
- Bucket existence cannot be inferred from CORS header presence/absence

AWS S3 Compatibility:
- Improved compatibility with AWS S3 CORS behavior
- Preflight requests now succeed for non-existent buckets
2026-01-20 16:15:46 -08:00
..
admin
Fix maintenance worker panic and add EC integration tests (#8068)
2026-01-20 15:07:43 -08:00
cluster
fix: add filer fallback after consecutive connection failures (#8000)
2026-01-11 12:14:27 -08:00
command
Support for cacheMetaTtlSec option in fuse command (#8063)
2026-01-19 22:52:47 -08:00
credential
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
filer
filer: auto clean empty implicit s3 folders (#8051)
2026-01-17 22:10:15 -08:00
filer_client
Clean up logs and deprecated functions (#7339)
2025-10-17 22:11:50 -07:00
glog
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
iam
Fix: Propagate OIDC claims for dynamic IAM policies (#8060)
2026-01-19 13:39:18 -08:00
iamapi
IAM: Add Service Account Support (#7744) (#7901)
2025-12-29 20:17:23 -08:00
images
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
kms
S3 API: Add integration with KMS providers (#7152)
2025-08-22 22:10:30 -07:00
mount
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
mq
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
notification
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
operation
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
pb
Prevent split-brain: Persistent ClusterID and Join Validation (#8022)
2026-01-18 14:02:34 -08:00
query
fix: comprehensive go vet error fixes and add CI enforcement (#7861)
2025-12-23 14:48:50 -08:00
remote_storage
fix(gcs): resolve credential conflict in remote storage mount (#8013)
2026-01-12 12:22:42 -08:00
replication
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
s3api
Fix CORS headers not applied to non-existent bucket responses (#8070)
2026-01-20 16:15:46 -08:00
security
feat: Optional path-prefix and method scoping for Filer HTTP JWT (#8014)
2026-01-12 13:21:48 -08:00
sequence
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
server
Prevent split-brain: Persistent ClusterID and Join Validation (#8022)
2026-01-18 14:02:34 -08:00
sftpd
SFTP: support reloading user store on HUP signal (#7651)
2025-12-08 01:24:42 -08:00
shell
Fix #8040: Support '_default' keyword in collectionPattern to match default collection (#8046)
2026-01-16 12:31:48 -08:00
static
Fix Broken Links (#5287)
2024-02-14 08:26:38 -08:00
stats
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
storage
skip md5 validation if Content-MD5 is not provided
2026-01-18 15:04:56 -08:00
telemetry
Prevent split-brain: Persistent ClusterID and Join Validation (#8022)
2026-01-18 14:02:34 -08:00
topology
Prevent split-brain: Persistent ClusterID and Join Validation (#8022)
2026-01-18 14:02:34 -08:00
util
4.07
2026-01-18 15:48:09 -08:00
wdclient
chore: execute goimports to format the code (#7983)
2026-01-07 13:06:08 -08:00
worker
Fix maintenance worker panic and add EC integration tests (#8068)
2026-01-20 15:07:43 -08:00
Makefile
Update README and weed/Makefile (#7571)
2025-11-29 11:36:22 -08:00
weed.go
Fix the issue where fuse command on a node cannot specify multiple configuration directory paths (#7874)
2025-12-25 11:36:38 -08:00