Cross scheme access attempt blocked

Created on 27 July 2023, over 1 year ago

Problem/Motivation

Steps to reproduce

Export to excel is not working of any view after s3 upgrade for Drupal 10 compatibility

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

3.3

Component

Code

Created by

🇮🇳India sushma22

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @sushma22
  • Issue was unassigned.
  • 🇺🇸United States cmlara

    Converting to a support request as there is no details indicating any bug is present.

    I would suggest validating nothing being rendered as part of the view, or part of the excel export, is causing causing attempts to write through the protective boundary.

    Suggested reference material that has some details on this issue:
    https://www.drupal.org/sa-contrib-2022-057
    🐛 Drupal\s3fs\Exceptions\CrossSchemeAccessException: Cross scheme access attempt blocked in Drupal\s3fs\StreamWrapper\S3fsStream->preventCrossSchemeAccess() (line 81 of modules/contrib/s3fs/src/Traits/S3fsPathsTrait.php). Closed: cannot reproduce
    🐛 s3fs_cors with private/public takeover broken by SA-CONTRIB-2022-057 Closed: works as designed

  • 🇮🇳India sushma22

    Hi @cmlara,

    Please check the screenshot for the URI

  • Status changed to Closed: outdated over 1 year ago
  • 🇺🇸United States cmlara

    @sushma22 Unless you have changed s3fs.settings.public_folder the value 's3fs-public' is the default path for public:// takeover storage.

    To me the screenshot does indeed indicate you are very likely attempting to access files across schemes (using s3://s3fs-public instead of public://) meaning our security code is functioning as designed.

    I would suggest (after you confirm you haven't changed the public_folder setting) determine why/how you are accessing s3://s3fs-public/view_data_export/... to store a csv file. Is that a view_data_export setting or is it based on how you access an initial file, etc.

    Postponing awaiting more info.

  • Status changed to Postponed: needs info over 1 year ago
  • 🇺🇸United States cmlara

    Somehow selected closed instead of postponed.

  • Status changed to Closed: works as designed over 1 year ago
  • 🇺🇸United States cmlara

    As additional information has not been provided in 2 weeks I am assuming the previous answer from #4 has provided a resolution.

    If this is not the case and you are able to provide more details please re-open the issue.

  • 🇮🇳India sushma22

    Hi @cmlara,

    Yes, we have below settings set:

    define('RS_AWS_PUBLIC_DIRECTORY', 's3fs-public');
    define('RS_AWS_TEMP_DIRECTORY', 'temporary');
    $config['s3fs.settings']['public_folder'] = RS_AWS_PUBLIC_DIRECTORY;
    $settings['s3fs.upload_as_private'] = TRUE;
    $settings['s3fs.use_s3_for_public'] = TRUE;
    $config['s3fs.settings']['domain'] = RS_CMS_S3FS_CDN;
    $config['s3fs.settings']['use_https'] = TRUE;
    $config['s3fs.settings']['disable_cert_verify'] = FALSE;

    What changes are required to unblock this issue?

  • 🇺🇸United States cmlara

    Post #7 confirms that this code is functioning as designed.

    As noted in #4 when accessing these files you should use public://path/to/file not s3://s3fs-public://path/to/file.

    You need to check your views_data_export configuration and adjust as needed.

Production build 0.71.5 2024