* fix: Refactor CORS middleware to consistently apply the `Vary: Origin` header when a configuration exists and streamline request processing logic.
* fix: Add Vary: Origin header to CORS OPTIONS responses and refactor request handling for clarity and correctness.
* fix: update CORS middleware tests to correctly parse and check for 'Origin' in Vary header.
* refactor: extract `hasVaryOrigin` helper function to simplify Vary header checks in tests.
* test: Remove `Vary: Origin` header from CORS test expectations.
* refactor: consolidate CORS request handling into a new `processCORS` method using a `next` callback.
Fix S3 CORS for non-existent buckets
Enable fallback to global CORS configuration when a bucket is not found (s3err.ErrNoSuchBucket). This ensures consistent CORS behavior and prevents information disclosure.
Fixes#8065
Problem:
- CORS headers were only applied after checking bucket existence
- Non-existent buckets returned responses without CORS headers
- This caused CORS preflight failures and information disclosure vulnerability
- Unauthenticated users could infer bucket existence from CORS header presence
Solution:
- Moved CORS evaluation before bucket existence check in middleware
- CORS headers now applied consistently regardless of bucket existence
- Preflight requests succeed for non-existent buckets (matching AWS S3)
- Actual requests still return NoSuchBucket error but with CORS headers
Changes:
- Modified Handler() and HandleOptionsRequest() in middleware.go
- Added comprehensive test suite for non-existent bucket scenarios
- All 39 tests passing (31 existing + 8 new)
Security Impact:
- Prevents information disclosure about bucket existence
- Bucket existence cannot be inferred from CORS header presence/absence
AWS S3 Compatibility:
- Improved compatibility with AWS S3 CORS behavior
- Preflight requests now succeed for non-existent buckets
test: add HTTPS test cases for CORS wildcard subdomain matching
This adds comprehensive test coverage for HTTPS subdomain wildcard matching
in TestMatchesOrigin:
- https exact match
- https no match
- https wildcard subdomain match
- https wildcard subdomain no match (base domain)
- https wildcard subdomain no match (different domain)
- protocol mismatch tests (http pattern vs https origin and vice versa)
The matchWildcard function was already working correctly - this just adds
test coverage for the HTTPS cases that were previously untested.
Note: The cache invalidation is already handled synchronously by
setBucketMetadata() which is called via:
- UpdateBucketCORS -> UpdateBucketMetadata -> setBucketMetadata
- ClearBucketCORS -> UpdateBucketMetadata -> setBucketMetadata
Added clarifying comments to document this call chain.
* add fallback for cors
* refactor
* expose aws headers
* add fallback to test
* refactor
* Only falls back to global config when there's explicitly no bucket-level config.
* fmt
* Update s3_cors_http_test.go
* refactoring
* fix listing objects
* add more list testing
* address comments
* fix next marker
* fix isTruncated in listing
* fix tests
* address tests
* Update s3api_object_handlers_multipart.go
* fixes
* store json into bucket content, for tagging and cors
* switch bucket metadata from json to proto
* fix
* Update s3api_bucket_config.go
* fix test issue
* fix test_bucket_listv2_delimiter_prefix
* Update cors.go
* skip special characters
* passing listing
* fix test_bucket_list_delimiter_prefix
* ok. fix the xsd generated go code now
* fix cors tests
* fix test
* fix test_bucket_list_unordered and test_bucket_listv2_unordered
do not accept the allow-unordered and delimiter parameter combination
* fix test_bucket_list_objects_anonymous and test_bucket_listv2_objects_anonymous
The tests test_bucket_list_objects_anonymous and test_bucket_listv2_objects_anonymous were failing because they try to set bucket ACL to public-read, but SeaweedFS only supported private ACL.
Updated PutBucketAclHandler to use the existing ExtractAcl function which already supports all standard S3 canned ACLs
Replaced the hardcoded check for only private ACL with proper ACL parsing that handles public-read, public-read-write, authenticated-read, bucket-owner-read, bucket-owner-full-control, etc.
Added unit tests to verify all standard canned ACLs are accepted
* fix list unordered
The test is expecting the error code to be InvalidArgument instead of InvalidRequest
* allow anonymous listing( and head, get)
* fix test_bucket_list_maxkeys_invalid
Invalid values: max-keys=blah → Returns ErrInvalidMaxKeys (HTTP 400)
* updating IsPublicRead when parsing acl
* more logs
* CORS Test Fix
* fix test_bucket_list_return_data
* default to private
* fix test_bucket_list_delimiter_not_skip_special
* default no acl
* add debug logging
* more logs
* use basic http client
remove logs also
* fixes
* debug
* Update stats.go
* debugging
* fix anonymous test expectation
anonymous user can read, as configured in s3 json.
粒粒橙
Chris Lu
Chris Lu