[rt-users] 403 Forbidden message when adding local customisations
Kevin Falcone
falcone at bestpractical.com
Wed May 9 21:48:10 EDT 2012
On Thu, May 10, 2012 at 10:51:18AM +1000, Jenni Wilson wrote:
> We are upgrading RT from 3.8.7 to 4.0.5.
>
> We have some mason customisations under /usr/local/share/request-
> trackerx/html/Ticket/Elements. These work fine under 3.8.7 but under
> 4.0.5 we are receiving a 403 Forbidden message and a blank screen.
>
> The functionality of the customizations is such that a separate form
> containing custom fields are added to a ticket. When this form is
> submitted a new ticket should be created in a different queue, however
> the 403 and blank screen is being returned instead. The same mason
> file - /usr/local/share/request-
> tracker4/html/Ticket/Elements/ManageInventoryItems - is used to add
> the custom fields and is then posted back to itself as http://rt-
> url/Ticket/Elements/ManageInventoryItems
RT does not allow direct access to Elements, _elements, Widgets and a
few other files. This is a security issue since there are files in
Elements/ that do not expect to be accessed directly. It's simpler
for RT to just deny direct access to these files.
If you'd applied the security patches from last year to your 3.8.7
http://lists.bestpractical.com/pipermail/rt-announce/2011-April/000187.html
you would have run into the same failure.
Move your custom form to something other than Elements, such as
Tickets/CustomForms/ and you'll be fine.
-kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.bestpractical.com/pipermail/rt-users/attachments/20120509/53de2764/attachment.sig>
More information about the rt-users
mailing list