boto / boto

For the latest version of boto, see https://github.com/boto/boto3 -- Python interface to Amazon Web Services

Home Page:http://docs.pythonboto.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

s3: key.py _get_file_internal incorrectly injects implicit versionId into requests breaking permissions

bmkessler opened this issue · comments

In _get_file_internal, the GET request is made specifying a versionId even if none was supplied in the request.

https://github.com/gsutil-mirrors/boto/blob/cae713dd771bc918650efc1f2d0bf52c9e1a6a1c/boto/s3/key.py#L1521-L1525

def _get_file_internal(...)
...

        # If a version_id is passed in, use that.  If not, check to see
        # if the Key object has an explicit version_id and, if so, use that.
        # Otherwise, don't pass a version_id query param.
        if version_id is None:
            version_id = self.version_id

where self.version_id was parsed from the response headers of a prior HEAD request

https://github.com/gsutil-mirrors/boto/blob/cae713dd771bc918650efc1f2d0bf52c9e1a6a1c/boto/s3/key.py#L248-262

    def handle_version_headers(self, resp, force=False):
        provider = self.bucket.connection.provider
        # If the Key object already has a version_id attribute value, it
        # means that it represents an explicit version and the user is
        # doing a get_contents_*(version_id=<foo>) to retrieve another
        # version of the Key.  In that case, we don't really want to
        # overwrite the version_id in this Key object.  Comprende?
        if self.version_id is None or force:
            self.version_id = resp.getheader(provider.version_id, None)
        self.source_version_id = resp.getheader(provider.copy_source_version_id,
                                                None)
        if resp.getheader(provider.delete_marker, 'false') == 'true':
            self.delete_marker = True
        else:
            self.delete_marker = False

Note that this is breaking access using boto to files that do not have GetObjectVersions permission.

Hi there,

This package is deprecated and no longer supported. Please review the deprecation notice for migration to boto3. Thanks!

https://github.com/boto/boto#deprecation-notice