files are uploaded as public-read-write

[notslang]

see: https://github.com/hughsk/s3-sync/blob/master/index.js#L114 and the corresponding docs: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html#CannedACL

The docs say this about public-read-write:

Owner gets FULL_CONTROL. The AllUsers group gets READ and WRITE access. Granting this on a bucket is generally not recommended.

And the AllUsers group is defined as this:

Access permission to this group allows anyone to access the resource. The requests can be signed (authenticated) or unsigned (anonymous). Unsigned requests omit the Authentication header in the request.

So if I'm reading this correctly, anyone on the internet can overwrite files uploaded by this tool. That sounds like a pretty serious security issue.

[hughsk]

Sorry about this, don't know how that snuck past me. Luckily it's an easy fix.

[hughsk]

/cc @jameswyse @bockit

[Bockit]

Hahaha wow. Thanks for the heads up slang800 and Hugh!

[hughsk]

Yeah, thanks @slang800 :)

[jameswyse]

eek, thanks for the heads up :)