- Status changed to Active
over 1 year ago 11:06am 18 January 2023
FileDownloadController::download() assumes any file scheme that is not private should have public cache control headers applied. This poses a potential security issue with file schemes provided by contrib modules such as flysystem_s3 where a private AWS S3 bucket is setup and used to store private and sensitive files. A developer may be unaware that sensitive files are being cached because the Cache-Control header of the file is being set to Public. I have marked this issue Critical as a result of this scenario.
Even if an implementation of hook_file_download sets a Cachce-Control header to private, if the $scheme is not private \Symfony\Component\HttpFoundation\BinaryFileResponse::__construct will remove this header beacuse the $public is set to TRUE.
Should there be a method on \Drupal\Core\StreamWrapper\StreamWrapperInterface to determine if a file scheme is considered to be public and use that method to set the $public parameter on the BinaryFileResponse constructor accordingly?
Thoughts?
https://www.drupal.org/project/drupal/issues/2148353 → appears to be addressing file access issues but doesn't appear to be addressing this issue specifically.
Active
10.1 ✨
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.