From 7d788ae73c65b1ca3255d833ac6d980855d71e12 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 21 Jan 2026 12:50:51 -0800 Subject: [PATCH] Fix: S3 CORS headers missing for non-existent buckets (#8078) Fix S3 CORS for non-existent buckets Enable fallback to global CORS configuration when a bucket is not found (s3err.ErrNoSuchBucket). This ensures consistent CORS behavior and prevents information disclosure. --- weed/s3api/cors/middleware.go | 3 +++ weed/s3api/cors/middleware_test.go | 6 +++--- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/weed/s3api/cors/middleware.go b/weed/s3api/cors/middleware.go index 2f0b8d438..5794f7277 100644 --- a/weed/s3api/cors/middleware.go +++ b/weed/s3api/cors/middleware.go @@ -50,6 +50,9 @@ func (m *Middleware) getCORSConfig(bucket string) (*CORSConfiguration, bool) { // No bucket config, proceed to fallback. case s3err.ErrNoSuchCORSConfiguration: // No bucket config, proceed to fallback. + case s3err.ErrNoSuchBucket: + // Bucket doesn't exist, proceed to fallback. + // This ensures we don't leak existence information and returning 403 vs 200. default: // Any other error means we should not proceed. return nil, false diff --git a/weed/s3api/cors/middleware_test.go b/weed/s3api/cors/middleware_test.go index e9f89a038..98f7940be 100644 --- a/weed/s3api/cors/middleware_test.go +++ b/weed/s3api/cors/middleware_test.go @@ -358,10 +358,10 @@ func TestMiddlewareFallbackWithError(t *testing.T) { description: "Internal errors should not expose CORS headers", }, { - name: "ErrNoSuchBucket should not trigger fallback", + name: "ErrNoSuchBucket should trigger fallback", errCode: s3err.ErrNoSuchBucket, - expectedOriginHeader: "", - description: "Bucket not found errors should not expose CORS headers", + expectedOriginHeader: "https://example.com", + description: "Bucket not found errors should expose CORS headers to prevent information disclosure", }, { name: "ErrNoSuchCORSConfiguration should trigger fallback",