Unable to edit pages on a fresh install local environment

<%- if @topic_view.topic.tags.present? %>
<%= t 'js.tagging.tags' %>: <%- @topic_view.topic.tags.each do |t| %> <%= t %> <%- end %>
<% end %>

Silverstripe Version:
4.1.1

Question:
I just installed Silverstripe 4.1.1 via composer. I have a local environment. I use OpenSuse. The installation was straight forward. However, whenever y try to edit a page through the CMS I get an error and a little popup appears with the word “Forbiden”. I also tried installing sylverstripe on Bitnami LAMP stack (Same computer) and the same happened.

I also installed Silverstripe 4.1.1 on my VPS with DreamHost and everything works perfect. I can edit pages without any issue.

Here is a screenshot of the CMS error.

Thanks

I figured out the issue but I don’t understand rewrite rules very well.

Here is what I did:
Commented out the following rewrite rules from the file /public/assets/.htaccess

# Block invalid file extensions #RewriteCond %{REQUEST_URI} !^[^.]*\.(?i:css|js|ace|arc|arj|asf|au|avi|bmp|bz2|cab|cda|csv|dmg|doc|docx|dotx|flv|gif|gpx|gz|hqx|ico|jpeg|jpg|kml|m4a|m4v|mid|midi|mkv|mov|mp3|mp4|mpa|mpeg|mpg|ogg|ogv|pages|pcx|pdf|png|pps|ppt|pptx|potx|ra|ram|rm|rtf|sit|sitx|tar|tgz|tif|tiff|txt|wav|webm|wma|wmv|xls|xlsx|xltx|zip|zipx)$ #RewriteRule .* - [F]
After this, I was able to edit pages.

I thought that line meant to allow those file types. But it looks like is the other way around. Any way, I don’t really understand how this rewrite rule and regular expression works. The other thing is that the same .htaccess file works fine on my DreamHost VPS.

Any ideas?

Thanks

1 Like

I finally replaced the following expression:
%{REQUEST_URI} !^[^.]*\.

with

%{REQUEST_URI} !^.*\.

Now everithing works as expected. I just don’t understand why the original expression works on my VPS.

Update:

Every time I use ?flush, the file .htaccess is overwritten so I had to chage the RewriteCondition inside the following template:
vendor/silverstripe/assets/templates/SilverStripe/Assets/Flysystem/PublicAssetAdapter_HTAccess.ss

Looks like it’s working now

3 Likes

That rewrite rule was changed in 4.1.1 and now prevents dots in the filename… actually any dot in the request uri will result in a 403 access denied error.

So any url like: folder.test/file.jpg or folder/file.2.jpg will result in that behavior. Maybe you’ve got a folder-name with a dot in your setup? Check the full URL to validate that.

I’ve reported this as a bug here: Files with dots in filename will no longer be served. · Issue #141 · silverstripe/silverstripe-assets · GitHub

In the meantime you can change the .htaccess via template as you did. I’ve done so myself as well for my 4.1.1 projects.

Hi Francisco, I’m not sure exactly why that’s happening, but opening your browser’s dev tools may help. Try going to the Network tab and refreshing the page, and inspect any responses that return an error as you may be able to see a more detailed error message there. Failing that, checking your server and php error logs might help. It sounds like a response from the server rather than PHP to me, since it says ‘Forbidden’.

If you’re getting a forbidden response for static assets like javascript files, you may have a permissions problem.

Hi Jono
Thank you very much for your prompt response.

I checked network errors with google chrome dev tools. There is a 403 error when trying to access the following file:
tinymce-cms-10a2432d37.js
I set permissions to 777 for that file but still getting the same error.

1 Like

Some context around this error:

  • The tinymce-cms JS file lives in the assets folder
  • Assets doesn’t let you upload JS files by default, but;
  • Assets serves JS files via the htaccess rules in the assets directory, which is required for this file to function

If you’ve upgraded from a previous version of SilverStripe you may find that this htaccess file might have changed . I suspect that doing one or both of the following should fix your problem: composer vendor-expose and/or adding ?flush to the URL in your browser.

Thanks for the replay Robbie.

I didn’t upgrade. It was a fresh install. I’m thinking that it may have to do with my local server because I installed it on another server without issues. I just can’t figure out how to solve the problem.

I tried composer vendor-expose and ?flush, but none of them worked.
One difference between the server that works and the one that doesn’t is the apache version. My local server runs apache 2.4 and my DreamHost VPS runs apache 2.2.

Thank you guys for your help. At least I was able to locate the error.

Thanks again Jono.

If I fix this issue, I will post my solution.

I don’t have any new ideas :slightly_frowning_face: but FYI I’m running Apache 2.4 (2.4.33) locally too and haven’t had this issue.

This change came about due to a security vulnerability [SS-2018-012]. See [ss-2018-012] Prevent php code execution in assets folder · silverstripe/silverstripe-assets@1e27835 · GitHub for reference.

If modifying the file works in your case then please take care of any risk you expose yourself to.

What is the vulnerability if I might ask? Maybe there’s a better solution than disallowing dots in filenames?

Hi TractorCow,
Thanks for your reply.
I would like to keep the expression as is. However, I don’t know why it does not work on my local environment.

See here for more on this issue; in particular the issue of different behavior locally and remotely. :slight_smile:

1 Like

I also encountered this issue. My mistake was including dots ‘.’ in the directory name of my project. E.g. ‘myproject.com’. Once I renamed my directory and removed the dot i.e. ‘myproject’ the issue was fixed.