Friday, February 29, 2008

Default charset in apache (2)

Yep, so getting back... apparently I've missed some important hint:


http://www.apache.org/dist/httpd/CHANGES_2.2

This file contains a paragraph I missed:
*) mod_autoindex: Add in Type and Charset options to IndexOptions directive. This allows the admin to explicitly set the content-type and charset of the generated page and is therefore a viable workaround for buggy browsers affected by CVE-2007-4465
(cve.mitre.org). [Jim Jagielski]
Not really obvious, but anyways... they did say something about it after all.
The really useful answer to this issue came from somebody on the httpd mailing lists - I really need to quote this, it's really straightforward:

In earlier versions, mod_autoindex didn't set any charset at all. This meant that AddDefaultCharset, which only works when no other charset is specified, was picked up. But it also meant that no charset was sent at all if AddDefaultCharset wasn't present.

To protect buggy browsers from cross-site scripting (XSS) attacks, all content originated from apache needs to have a charset assigned, so a change was made in 2.2.6 to assign a charset (utf-8 for windows and iso-8859-1 for everything else, if I recall correctly). The charset option was also added to IndexOptions for those who need to override it.

So, yes, the current behavior is expected and correct and the old behavior is wrong. You should use IndexOptions charset= to change the mod_autoindex charset and not AddDefaultCharset.

0 comments:

Post a Comment