search

aws / aws-sdk-php

Official repository of the AWS SDK for PHP (@awsforphp)
http://aws.amazon.com/sdkforphp
Apache License 2.0
6.01k stars 1.22k forks source link

'ACL' statement on default in ObjectUploader, not supported anymore by AWS S3. #3008

Open JortJacobs opened 2 days ago

JortJacobs commented 2 days ago

Describe the bug

Creating a folder via OctoberCMS results in ACL complaints since it is not being supported anymore. This is related to the following file + line-item, containing 'ACL' statements: https://github.com/aws/aws-sdk-php/blob/058611bd22a81c873b1399892672861848e1d466/src/S3/ObjectUploader.php#L89.

Please remove that.

Regression Issue

Expected Behavior

ObjectUploader to work.

Current Behavior

It does not work.

Reproduction Steps

Call the function.

Possible Solution

No response

Additional Information/Context

No response

SDK version used

Latest.

Environment details (Version of PHP (php -v)? OS name and version, etc.)

8.3.6

RanVaknin commented 2 days ago

Hi @JortJacobs ,

ACLs being disabled by default is the expected and documented behavior and is controlled via the S3 service, not the SDK.

Please refer to: Blogpost S3 Notice S3 docs

Thanks, Ran~

stobrien89 commented 2 days ago

Just wanted to chime in: the above only applies to buckets created on or after April 2023. Newly created buckets can be configured to enable ACLs, but ACLs no longer fall into S3's recommended security best practices. The SDK still sets a default ACL of private in the ObjectUploader class, which is legacy behavior that still works. We left this in place for backward compatibility reasons. S3 still allows private ACLs.

It sounds like OctoberCMS has a high-level filesystem abstraction over the SDK/S3 that relies on ACLs. If they are defaulting to anything other than private, they'll need to change that.