Package: apache2 Version: 2.4.10-10+deb8u4 Severity: wishlist /etc/apache2/conf-available/charset.conf currently says:
# Read the documentation before enabling AddDefaultCharset. # In general, it is only a good idea if you know that all your files # have this encoding. It will override any encoding given in the files # in meta http-equiv or xml encoding tags. #AddDefaultCharset UTF-8 # vim: syntax=apache ts=4 sw=4 sts=4 sr noet It's been a while since I looked at that setting. From memory, I *think* there's a security issue with enabling this setting, but the comment does not make that clear at all. Furthermore, it doesn't say *why* I should read the documentation, or worse, which. I don't have a README.Debian installed here. The Apache documentation upstream is pretty large. I could find this: https://httpd.apache.org/docs/current/mod/core.html#adddefaultcharset Which links to: https://httpd.apache.org/docs/current/mod/mod_mime.html#addcharset http://www.iana.org/assignments/character-sets/character-sets.xhtml Then that links to: https://httpd.apache.org/docs/current/mod/mod_mime.html#multipleext https://httpd.apache.org/docs/current/content-negotiation.html ... when do I stop reading? :) What exactly is the point of the notice? I would suggest adding a recommendation in the text explicitly stating that the user should read the issues documented in the AddDefaultCharset documentation with the URL, that way it's clear that the user does not need to get familiar with all the details of content negotiation and IANA numbering. :p It's also unclear to me why there's a config in conf-enabled that does nothing by default. It would seem to me more rational to have the config disabled by default, but then have AddDefaultCharset actually activated in there... Thanks! -- System Information: Debian Release: 8.4 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'proposed-updates'), (500, 'stable'), (1, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.2.0-0.bpo.1-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_CA.UTF-8, LC_CTYPE=fr_CA.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages apache2 depends on: pn apache2-mpm-worker | apache2-mpm-prefork | apache2-mpm-event | apac <none> pn apache2.2-common <none> apache2 recommends no packages. apache2 suggests no packages.
