Could you please check if adding CGIPassAuth On [1] to your .htaccess or conf file instead of the SetEnvIf directive fixes the problem ?

polzin,

You did not provide any feedback; I am therefore resolving this issue as "no change required".

Feel free to reopen the issue at a later time and provide the requested information.

Sorry for the delay.
My tests results:
If either CGIPassAuth On or SetEnvIf ... is in .htaccess it works.
Without any of them, as in the current master, it doesn´t work.

curl -v results:

    > Authorization: 8qpg8He_atuoIQH5uMH8wRtam5tInXXX
    >
    < HTTP/1.1 401 API token required

vs.

    > Authorization: 8qpg8He_atuoIQH5uMH8wRtam5tInXXX
    >
   < HTTP/1.1 200 OK

Thanks for the feedback, I'll fix this in the next hotfix release.

Hello,

Firstly, thanks for posting a notification on the original block article. I didn't think this was a bug with MantisBT itself so I never reported it here unlike some of the other issues I raised at the time.

I tested this new way, but it didn't work for me - the logs showed

    [core:alert] <path>/api/rest/.htaccess: Invalid command 'CGIPassAuth', perhaps misspelled or defined by a module not included in the server configuration

PHP version: 8.2.7 running under Plesk (Obsidian?) as a "Dedicated FPM application served by Apache" (I also tried ...served by nginx, same error)

Apparently CGIPassAuth was added in Apache 2.4.13, which is appears to be from quite a few years back, and I can't see the Apache version I'm using being that old, but I can't tell the version and my SSH connection is closing as soon as I try to log in to check. I'll contact my host and see if they can tell me (as well as look into the SSH issue!).

Regardless though, I guess it is an environment problem as opposed to something with MantisBT, but thought I'd follow up anyway.

Regards;
Richard Moss

thanks for posting a notification

You're welcome. It thought it would be a good idea since this Issue's OP came here after applying your workaround.

PHP version: 8.2.7

Probably unrelated, but please note that we don't support PHP 8.2 (yet).

I can't see the Apache version I'm using being that old, but I can't tell the version and my SSH connection is closing as soon as I try to log in to check

Have you tried curl --head http://your.server.com/ or uploading a file with <?php phpinfo(); in it ?

Keep us posted

I noticed in error logs alers.

[Mon Aug 28 23:59:53.777128 2023] [core:alert] [pid 22624:tid 140187749291776] [client XXX:49002] /opt/httpd/XXX/html/mantis/api/rest/.htaccess: CGIPassAuth not allowed here

Still the access works. That makes no sense. For me, I will fall back to the other solution.

Weird. According to Apache documentation, CGIPassAuth Directive is allowed in .htaccess context.

[Mon Aug 28 23:59:53.777128 2023] [core:alert] [pid 22624:tid 140187749291776] [client XXX:49002] /opt/httpd/XXX/html/mantis/api/rest/.htaccess: CGIPassAuth not allowed here

If you can spare the time and effort, this may be worth reporting to Apache.

CGIPassAuth Directive is allowed in .htaccess context.

I rechecked and found out:
On some webservers both directives work and one of them is required.

On other webservers, CGIPassAuth is forbidden in .htaccess, and thus only the other directive is allowed and required.

So it seems to me, it´s a configuration issue and not an Apache issue.