When using s3fs_cors with public/private takeover (see β¨ Add support for public:// and private:// takeover Fixed ), because s3fs_cors intentionall switches between the s3 and public/private file schemes, it triggers the exception added for SA-CONTRIB-2022-057.
It might be possible to fix this on the s3fs_cors side (although, not sure how), but opening this to track things.
Potentially allow a flag to be set that allows cross-scheme operations, since this could only be set by PHP it ought to still provide the original protection.
Closed: works as designed
3.0
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
While #3251424 has not yet been merged it appears to have a viable patch in it indicating this does not require changes inside of s3fs.
As no additional requests to change this process have been submitted, combined with #2's long term integrity concerns if we were to do so I'm going to close this out as works as designed.