s3: key.py _get_file_internal incorrectly injects implicit versionId into requests breaking permissions
bmkessler opened this issue · comments
In _get_file_internal, the GET request is made specifying a versionId even if none was supplied in the request.
def _get_file_internal(...)
...
# If a version_id is passed in, use that. If not, check to see
# if the Key object has an explicit version_id and, if so, use that.
# Otherwise, don't pass a version_id query param.
if version_id is None:
version_id = self.version_id
where self.version_id was parsed from the response headers of a prior HEAD request
def handle_version_headers(self, resp, force=False):
provider = self.bucket.connection.provider
# If the Key object already has a version_id attribute value, it
# means that it represents an explicit version and the user is
# doing a get_contents_*(version_id=<foo>) to retrieve another
# version of the Key. In that case, we don't really want to
# overwrite the version_id in this Key object. Comprende?
if self.version_id is None or force:
self.version_id = resp.getheader(provider.version_id, None)
self.source_version_id = resp.getheader(provider.copy_source_version_id,
None)
if resp.getheader(provider.delete_marker, 'false') == 'true':
self.delete_marker = True
else:
self.delete_marker = False
Note that this is breaking access using boto to files that do not have GetObjectVersions permission.
Hi there,
This package is deprecated and no longer supported. Please review the deprecation notice for migration to boto3
. Thanks!