I just upgraded from RT 3.6.6 to 3.8.8 (yesterday, in fact).
Everything is working fine except that when I click on a few menu
options under Tickets I get a mod_security error:
[Mon Feb 28 16:50:46 2011] [error] [client 10...*] ModSecurity: Rule
execution error - PCRE limits exceeded (-8): (null). [hostname
“sub.domain.tld”] [uri “/Search/Edit.html”] [unique_id
“WURk2H8AAAEAAAwm0zMAAAAK”]
This is the full query string that is sent when I click on these options:
https://sub.domain.tld/Search/Edit.html?Format='%20%20%20<b><a%20href%3D"__WebPath__%2FTicket%2FDisplay.html%3Fid%3D__id__">__id__<%2Fa><%2Fb>%2FTITLE%3A%23'%2C
'<b><a%20href%3D"__WebPath__%2FTicket%2FDisplay.html%3Fid%3D__id__">__Subject__<%2Fa><%2Fb>%2FTITLE%3ASubject'%2C
'__Status__'%2C
'__QueueName__'%2C
'__OwnerName__'%2C
'__Priority__'%2C
'__NEWLINE__'%2C
''%2C
'<small>__Requestors__<%2Fsmall>'%2C
'<small>__CreatedRelative__<%2Fsmall>'%2C
'<small>__ToldRelative__<%2Fsmall>'%2C
'<small>__LastUpdatedRelative__<%2Fsmall>'%2C
'<small>__TimeLeft__<%2Fsmall>'&Order=ASC&OrderBy=id&Query=&RowsPerPage=50&SavedChartSearchId=
This happens with Edit Search, Advanced, Show Results, Bulk Update and
Graph. (The query string is a little different depending on which
option is clicked, but the length of the string is consistent.)
The browser simply returns a “403 Forbidden” because mod_security
blocks access to that URL.
Is this query string of a normal length for these options?
I just upgraded from RT 3.6.6 to 3.8.8 (yesterday, in fact).
Everything is working fine except that when I click on a few menu
options under Tickets I get a mod_security error:
[snip]
Is this query string of a normal length for these options?
Yes, that’s pretty standard when you’re clicking around the ticket
search interface.
Thomas