Mattermost, Inc.

[SOLVED] 403 Error on File Upload

When attempting to upload files above a certain size, users get a 403 error from the server.

Previously, users would get a 413 error. I increased the value of SecRequestBodyLimit in modsecurity.conf and that cleared the 413 error.

I have tested this with files of various sizes to try to see where the limit is for this error. A file with size 6825789 bytes does not produce a 403 error, but a file of size 6871913 does. (I did a grep search in the mattermost install directory for 68\d{5}, but didn’t find anything where a number of the form 68XXXXX appeared. Also no results in /etc/*)

Same error regardless of using web interface or desktop client.

The response from the POST request that produces the 403 includes:

You don't have permission to access /api/v3/teams/6..e/files/upload
on this server.

The response from a successful upload is a JSON with the filenames and client_ids.

I suspect this is really an issue with how I have apache2 configured, but I can’t seem to find the misconfiguration.

Mattermost version 3.2.0 (Just upgraded. The error existed before upgrading as well.)
Apache/2.4.7 (Ubuntu)
mysql Ver 14.14 Distrib 5.6.31

EDIT: I have a mattermost.conf file in /etc/apache2/sites-enabled which has LimitRequestBody 0 in it.

OK. I found a solution.

I tracked the issue to modsecurity and a MULTIPART_UNMATCHED_BOUNDARY message. In the /etc/modsecurity/modsecurity.conf file, I commented out these two lines

SecRule MULTIPART_UNMATCHED_BOUNDARY "!@eq 0" \
"id:'200003',phase:2,t:none,log,deny,msg:'Multipart parser detected a possible unmatched boundary.'"

then restarted apache. I no longer have upload issues. (Although I’m not sure what the implications are for the security of the site…)