Bug 1403588

Summary: /usr/share/bugzilla/assets/.htaccess: Require not allowed here
Product: [Fedora] Fedora Reporter: Adrian Reber <adrian>
Component: bugzillaAssignee: Emmanuel Seyman <emmanuel>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 25CC: bazanluis20, dwt, emmanuel, hughbragg, itamar, perl-devel
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: bugzilla-5.0.3-4.fc25 bugzilla-5.0.3-5.fc26 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1438957 (view as bug list) Environment:
Last Closed: 2017-04-25 02:22:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1438957    

Description Adrian Reber 2016-12-11 17:29:33 UTC 
Description of problem:
Cannot access js and css files under /usr/share/bugzilla/assets/
Getting following error in the error.log

/usr/share/bugzilla/assets/.htaccess: Require not allowed here


Version-Release number of selected component (if applicable):
bugzilla-5.0.3-3.fc25.noarch

How reproducible:
Always


Package seems to be unmodified. No output from 'rpm -V bugzilla'

buglist.cgi works but no css and js files are loaded.
Comment 1 Emmanuel Seyman 2016-12-11 19:34:35 UTC 
I'll take this one.
Comment 2 Dennis W. Tokarski 2016-12-21 23:14:29 UTC 
Just ran into this this afternoon. Some web research led
to at least a workaround. Modify /etc/httpd/conf.d/bugzilla.conf
so that the line

  AllowOverride Limit Options FileInfo Indexes

instead reads

  AllowOverride Limit Options FileInfo Indexes AuthConfig

Then be sure to systemctl reload httpd.

Can't speak as to whether that's a proper fix or not, but it
made the problem go away.
Comment 3 Dennis W. Tokarski 2016-12-21 23:32:34 UTC 
And by the way, once you get the home page to render, the large
icons for bug/search/usr/docs are missing.

The client is trying to fetch e.g /skins/standard/index/search.png and getting a 404. It should be trying for /bugzilla/skins....

Temporary fix is to edit bugzilla.conf again and at the top add

  Alias /skins /usr/share/bugzilla/skins

Looks like a bug in the cgi script for the home page.

Sorry for not filing this separately, emmanuel, but since you're on this anyway...

Hope this helps.
Comment 4 Hugh 2017-02-26 11:53:51 UTC 
This problem still exists in Fedora 25, Bugzilla 5.0.3.

The workaround described by Dennis in comment #2 has been applied and isn't effective.
The home Bugzilla page is displayed without formatting.

This possibly unrelated message always precedes the 4 "Require not allowed" messages from the home page:
AH01215: [Sun Feb 26 21:45:53 2017] Bugzilla.pm: sysread() is deprecated on :utf8 handles at /usr/share/perl5/vendor_perl/File/Slurp.pm line 225.: /usr/share/bugzilla/index.cgi
Comment 5 Emmanuel Seyman 2017-02-26 13:11:24 UTC 
(In reply to Hugh from comment #4)
> 
> The workaround described by Dennis in comment #2 has been applied and isn't
> effective.
> The home Bugzilla page is displayed without formatting.

Strange... I've been testing the fix and it works for me.

> This possibly unrelated message always precedes the 4 "Require not allowed"
> messages from the home page:
> AH01215: [Sun Feb 26 21:45:53 2017] Bugzilla.pm: sysread() is deprecated on
> :utf8 handles at /usr/share/perl5/vendor_perl/File/Slurp.pm line 225.:
> /usr/share/bugzilla/index.cgi

Yes, this is unrelated. I've also backported the upstream commit that fixes this.
Still working on the /skins issues...
Comment 6 Hugh 2017-02-26 18:43:46 UTC 
It looks like the Require clause in the generated .htaccess files are causing the problem. When I remove this file, it works. Maybe have a look at the generation method to see why the Require clause is included.
Comment 7 Emmanuel Seyman 2017-02-26 22:21:39 UTC 
We really want to prevent directory listings of /usr/share/bugzilla/assets/ so the Require clause needs to stay.

It would be interesting to figure out why adding the AuthConfig override on your system doesn't allow you to use Require in .htaccess files.
Comment 8 Hugh 2017-02-27 03:12:10 UTC 
Sounds like a bug. I have a fresh install with no customisations.
Is there anything specific I can do to help resolve this?
btw. I didn't have the /skins problem.
Comment 9 Emmanuel Seyman 2017-02-27 08:23:31 UTC 
(In reply to Hugh from comment #8)
>
> Is there anything specific I can do to help resolve this?

Double check that you do have an AuthConfig override for /usr/share/bugzilla/assets/ (or any parent directory) and restart httpd. If that still doesn't solve your problem, file a bug against httpd.

> btw. I didn't have the /skins problem.

Ah. Curiouser and curiouser...
Comment 10 Hugh 2017-02-27 12:56:55 UTC 
This is in /etc/httpd/conf.d/bugzilla.conf

Alias /var/lib/bugzilla/data/webdot /var/lib/bugzilla/data/webdot
Alias /bugzilla /usr/share/bugzilla

<Directory /usr/share/bugzilla>

  <IfModule mod_authz_core.c>
    # Bugzilla will be accessible to all machines in your network
    # Replace with "Require local" if you want access to be restricted
    # to this machine.
    Require all granted
  </IfModule>

  AddHandler cgi-script .cgi
  Options +Indexes +ExecCGI +FollowSymLinks
  DirectoryIndex index.cgi index.html
  AllowOverride Limit Options FileInfo Indexes
  AddType application/vnd.mozilla.xul+xml .xul
  AddType application/rdf+xml .rdf
</Directory>

<Directory /var/lib/bugzilla/data/webdot>
  Require all granted
</Directory>


The only other thing affecting this directory is in httpd.conf

<Directory />
    AllowOverride none
    Require all denied
</Directory>

I noticed this:
/usr/share/bugzilla/assets -> ../../../var/lib/bugzilla/assets
Which may explain the problem.
Comment 11 Fedora Update System 2017-04-05 16:30:56 UTC 
bugzilla-5.0.3-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-f2f561c439
Comment 12 Fedora Update System 2017-04-05 16:31:20 UTC 
bugzilla-5.0.3-5.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-e676c0dbc1
Comment 13 Fedora Update System 2017-04-06 20:23:45 UTC 
bugzilla-5.0.3-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-f2f561c439
Comment 14 Fedora Update System 2017-04-06 22:22:02 UTC 
bugzilla-5.0.3-5.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-e676c0dbc1
Comment 15 Fedora Update System 2017-04-25 02:22:30 UTC 
bugzilla-5.0.3-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 16 Fedora Update System 2017-04-25 21:33:30 UTC 
bugzilla-5.0.3-5.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.