- Affected version
- 2.1,2.2
We've created an addon to serve attachments directly from S3 using S3 presigned URLs instead of routing through xenforo attachment controller .. we noticed that signed URLs keep working after expiry and after removing the signing secret .. checking the bucket, I found that attachments visibility is set to public ( bucket setting is set to private ) .. tracking the code I found the issue here
I know file names have hashes that can keep them obscure in normal use cases, but this needs to be fixed
PHP:
$internalData = new EventableFilesystem($internalDataAdapter, [
'visibility' => AdapterInterface::VISIBILITY_PUBLIC
]);
I know file names have hashes that can keep them obscure in normal use cases, but this needs to be fixed
Last edited: