Closed notslang closed 10 years ago
Sorry about this, don't know how that snuck past me. Luckily it's an easy fix.
/cc @jameswyse @bockit
Hahaha wow. Thanks for the heads up slang800 and Hugh!
Yeah, thanks @slang800 :)
eek, thanks for the heads up :)
see: https://github.com/hughsk/s3-sync/blob/master/index.js#L114 and the corresponding docs: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL
The docs say this about
public-read-write
:And the
AllUsers group
is defined as this:So if I'm reading this correctly, anyone on the internet can overwrite files uploaded by this tool. That sounds like a pretty serious security issue.