I have a feeling this might be a significant enough behavior change (breaking a workflow which application developers might already have encoded into their software) that we wouldn't be able to safely backport it without having it as an optional mitigation that defaults to the original behavior. Then deployers can choose explicitly to disallow PUT DLO's via tempurl in their environments without forcing it on all deployments consuming stable branches.
If we do end up making it configurable and leave the original behavior as the default, then this is territory for documenting in a security note not an advisory.
I have a feeling this might be a significant enough behavior change (breaking a workflow which application developers might already have encoded into their software) that we wouldn't be able to safely backport it without having it as an optional mitigation that defaults to the original behavior. Then deployers can choose explicitly to disallow PUT DLO's via tempurl in their environments without forcing it on all deployments consuming stable branches.
If we do end up making it configurable and leave the original behavior as the default, then this is territory for documenting in a security note not an advisory.