Reply to thread

Message

My environment is fine, have worked in the AWS space for long enough to know how to set up environments correctly. Doing a manual install of the Flysystem S3 Adaptor pulls in version 3.209.16(edit - of the AWSPHP SDK). You're using a library that is 3+ years old and 140+ versions behind. And that has serious security implications, such the inability for XF to properly handle AWS credentials. And there are functional issues as well, so yes please, ship an up-to-date library, and that should apply for all your bundled third-party libraries. Managing supply-chain vulnerabilities is a tiresome, but an essential task.

[QUOTE="Jim Boy, post: 1560013, member: 25006"] My environment is fine, have worked in the AWS space for long enough to know how to set up environments correctly. Doing a manual install of the Flysystem S3 Adaptor pulls in version 3.209.16(edit - of the AWSPHP SDK). You're using a library that is 3+ years old and 140+ versions behind. And that has serious security implications, such the inability for XF to properly handle AWS credentials. And there are functional issues as well, so yes please, ship an up-to-date library, and that should apply for all your bundled third-party libraries. Managing supply-chain vulnerabilities is a tiresome, but an essential task. [/QUOTE]

Verification

Reply to thread

We value your privacy