snipe-it
snipe-it copied to clipboard
snipe
v6.0.0 public/.htaccess uses old rule syntax
Debug mode
- [X] I have enabled debug mode
- [X] I have read checked the Common Issues page
Describe the bug
with apache-2.4.53 and snipeit-6.0.0:
$ tail -n1 /var/log/apache2/error.log
[Fri May 13 20:13:37.406524 2022] [core:alert] [pid 394] [client ...:43204] /var/www/snipe-it/public/.htaccess: Invalid command 'Deny', perhaps misspelled or defined by a module not included in the server configuration
Reproduction steps
- use apache-2.4
- install snipeit-6.0.0
- fail
Expected behavior
do not fail
Screenshots
No response
Snipe-IT Version
6.0.0
Operating System
Debian Linux
Web Server
apache
PHP Version
7.8
Operating System
No response
Browser
No response
Version
No response
Device
No response
Operating System
No response
Browser
No response
Version
No response
Error messages
No response
Additional context
No response
I don't know what this means. We haven't changed the htaccess syntax in ages.
If you have a fix for this, we'd happily look at a PR, but we have to make sure it degrades well for older versions of Apache.
it means v6.0.0 is broken on apache-2.4 as the error log shows. the broken change doesn't exist in the 5.x series, it was merged into the 6.x series. so it's been broken in the 6.x series since commit 494ed3d17aaee68ae885d87948111ab299549094.
compare the use of Require-vs-Deny in the top-level .htaccess and public/.htaccess.
consider
<Files "web.config">
<IfModule mod_authz_core.c>
Require all denied
</IfModule>
<IfModule !mod_authz_core.c>
Order Deny,Allow
Deny from All
</IfModule>
</Files>
It's a common format for sussing versions.
compare the use of Require-vs-Deny in the top-level .htaccess and public/.htaccess.
Silly me -- didn't read it all. Vapier's pointer to https://github.com/snipe/snipe-it/blob/master/.htaccess#L7 is a ideal fix.
GitHub
A free open source IT asset/license management system - snipe-it/.htaccess at master · snipe/snipe-it
@bby-bishopclark I've had a PR open for 3 days for this. https://github.com/snipe/snipe-it/pull/11072 - just waiting on someone who uses apache to test.
is THAT all?!? Let me check my dev box.
Good news and bad news:
# rpm -qa snipe-it httpd
snipe-it-5.3.10-2.el8.noarch
httpd-2.4.37-43.module+el8.5.0+747+83fae388.3.x86_64
Apache here, but I can't get a newer snipe-it into the system until I update the package, and there was a minor change after 5.3.10 that is hosing the build test; ownership or something. It's only a coupla days, maybe, but it's gonna be a coupla days.
@bby-bishopclark just noticed this - where is that snipe-it RPM coming from? We don't build an RPM for this, so curious where you found that or if you're building it yourself?
@bby-bishopclark just noticed this - where is that snipe-it RPM coming from?
We talked about this before. An RPM is not on the project's radar, but crucial for adoption at my site, so yeah. I used to do it full-time for OpenLinux, so it was almost no big deal.
I don't recall talking to you about it, but I believe you. I talk to a lot of people here. Literally thousands.
So if nobody is willing to test this, I can't merge it. I closed the PR, but will re-add if anyone can confirm this works.
Sorry, but I can't test. It appears v6 made a dependency leap and leapt right out of EL7 support. My packaging effort - and thus upgrades and thus testing - is stalled until I replatform on another EL that has what the project needs. It's probably EL9 since its 10-year support window is only 10% used. TL;DR is I have no v6 installs for the near term.
