Cross scheme access attempt blocked

Issue created by @sushma22
Issue was unassigned.
Comment almost 2 years ago →
🇺🇸United States cmlara
Converting to a support request as there is no details indicating any bug is present.

I would suggest validating nothing being rendered as part of the view, or part of the excel export, is causing causing attempts to write through the protective boundary.

Suggested reference material that has some details on this issue:
https://www.drupal.org/sa-contrib-2022-057 →
🐛 Drupal\s3fs\Exceptions\CrossSchemeAccessException: Cross scheme access attempt blocked in Drupal\s3fs\StreamWrapper\S3fsStream->preventCrossSchemeAccess() (line 81 of modules/contrib/s3fs/src/Traits/S3fsPathsTrait.php). Closed: cannot reproduce
🐛 s3fs_cors with private/public takeover broken by SA-CONTRIB-2022-057 Closed: works as designed
Comment almost 2 years ago →
🇮🇳India sushma22
Hi @cmlara,

Please check the screenshot for the URI
Status changed to Closed: outdated almost 2 years ago5:40pm 31 July 2023
Comment almost 2 years ago →
🇺🇸United States cmlara
@sushma22 Unless you have changed s3fs.settings.public_folder the value 's3fs-public' is the default path for public:// takeover storage.

To me the screenshot does indeed indicate you are very likely attempting to access files across schemes (using s3://s3fs-public instead of public://) meaning our security code is functioning as designed.

I would suggest (after you confirm you haven't changed the public_folder setting) determine why/how you are accessing s3://s3fs-public/view_data_export/... to store a csv file. Is that a view_data_export setting or is it based on how you access an initial file, etc.

Postponing awaiting more info.
Status changed to Postponed: needs info almost 2 years ago5:56pm 31 July 2023
Comment almost 2 years ago →
🇺🇸United States cmlara
Somehow selected closed instead of postponed.
Status changed to Closed: works as designed almost 2 years ago4:58am 15 August 2023
Comment almost 2 years ago →
🇺🇸United States cmlara
As additional information has not been provided in 2 weeks I am assuming the previous answer from #4 has provided a resolution.

If this is not the case and you are able to provide more details please re-open the issue.
Comment 9 months ago →
🇮🇳India sushma22
Hi @cmlara,

Yes, we have below settings set:

define('RS_AWS_PUBLIC_DIRECTORY', 's3fs-public');
define('RS_AWS_TEMP_DIRECTORY', 'temporary');
$config['s3fs.settings']['public_folder'] = RS_AWS_PUBLIC_DIRECTORY;
$settings['s3fs.upload_as_private'] = TRUE;
$settings['s3fs.use_s3_for_public'] = TRUE;
$config['s3fs.settings']['domain'] = RS_CMS_S3FS_CDN;
$config['s3fs.settings']['use_https'] = TRUE;
$config['s3fs.settings']['disable_cert_verify'] = FALSE;

What changes are required to unblock this issue?
Comment 9 months ago →
🇮🇳India sushma22
Comment 9 months ago →
🇺🇸United States cmlara
Post #7 confirms that this code is functioning as designed.

As noted in #4 when accessing these files you should use public://path/to/file not s3://s3fs-public://path/to/file.

You need to check your views_data_export configuration and adjust as needed.

Cross scheme access attempt blocked

Problem/Motivation

Steps to reproduce

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

Comments & Activities