Re: Bug#257775: AddDefaultCharset default setting is misleading
Hi Marc, On Tue, 6 Jul 2004, [utf-8] Marc Dequènes wrote: Package: apache Severity: minor Coin, Default setting is on by default, so apache force a specific encoding. Most users, and some not complete newbie, are unable to understand why their site is not working as expected, and some (kov) may wonder why their browser is not rendering it properly. As activating this setting is pretty much unuseful for a large majority of users, i suggest deactivating it in future release. This thing has been discussed over and over. This is the last reference to it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=211889archive=yes Since setting AddDefaultCharset off can imply security problem we will never switch it to off. For more information please check the previous URL and the apache documentation on httpd.apache.org Thanks Fabio PS I am closing this bug. -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Re: Bug#257775: AddDefaultCharset default setting is misleading
Coin, Since setting AddDefaultCharset off can imply security problem we will never switch it to off. For more information please check the previous URL and the apache documentation on httpd.apache.org I'm OK with all this. May i suggest you add a small note in 'README.Debian' with links (especially http://httpd.apache.org/info/css-security/encoding_examples.html) so as people to understand and not reopen a bug when the old ones are archived ? Thx for this explanation. BTW, thanks a lot for your work on IPv6 enabled apache. -- Marc Dequnes (Duck) pgpJPcZcYsbbl.pgp Description: PGP signature
Re: Bug#257775: AddDefaultCharset default setting is misleading
On Tue, 6 Jul 2004, [utf-8] Marc Dequènes wrote: Coin, Since setting AddDefaultCharset off can imply security problem we will never switch it to off. For more information please check the previous URL and the apache documentation on httpd.apache.org I'm OK with all this. May i suggest you add a small note in 'README.Debian' with links (especially http://httpd.apache.org/info/css-security/encoding_examples.html) so as people to understand and not reopen a bug when the old ones are archived ? sure.. that's actually a good idea... Thx for this explanation. no problem... BTW, thanks a lot for your work on IPv6 enabled apache. eh if i only had the time to give them the love they deserve :( Fabio -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Re: Bug#257775: AddDefaultCharset default setting is misleading
On Tue, Jul 06, 2004 at 07:10:10AM +0200, Fabio Massimo Di Nitto wrote: This thing has been discussed over and over. This is the last reference to it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=211889archive=yes Since setting AddDefaultCharset off can imply security problem we will never switch it to off. For more information please check the previous URL and the apache documentation on httpd.apache.org I think the real bug here is in the html specification -- it says the server's setting overrides the document's setting, which just seems daft. My understanding of the security problem is that you need to always set _some_ charset encoding. So I think it'd be a good idea to always set utf-8 rather than latin1 in new installations. -- Next the statesmen will invent cheap lies, putting the blame upon the nation that is attacked, and every man will be glad of those conscience-soothing falsities, and will diligently study them, and refuse to examine any refutations of them; and thus he will by and by convince himself that the war is just, and will thank God for the better sleep he enjoys after this process of grotesque self-deception. -- Mark Twain
Re: Bug#257775: AddDefaultCharset default setting is misleading
On Tue, 6 Jul 2004, Matthew Wilcox wrote: On Tue, Jul 06, 2004 at 07:10:10AM +0200, Fabio Massimo Di Nitto wrote: This thing has been discussed over and over. This is the last reference to it: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=211889archive=yes Since setting AddDefaultCharset off can imply security problem we will never switch it to off. For more information please check the previous URL and the apache documentation on httpd.apache.org I think the real bug here is in the html specification -- it says the server's setting overrides the document's setting, which just seems daft. My understanding of the security problem is that you need to always set _some_ charset encoding. So I think it'd be a good idea to always set utf-8 rather than latin1 in new installations. The reason why i didn't change default setting is because all the internal error pages uses latin1 (AddDefaultCharset on) and i didn't want to create a discrepancy between the config and the internal pages. Fabio -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Re: Bug#257775: AddDefaultCharset default setting is misleading
On Tue, Jul 06, 2004 at 04:41:28PM +0200, Fabio Massimo Di Nitto wrote: The reason why i didn't change default setting is because all the internal error pages uses latin1 (AddDefaultCharset on) and i didn't want to create a discrepancy between the config and the internal pages. I didn't realise they used anything outside of ascii. -- Next the statesmen will invent cheap lies, putting the blame upon the nation that is attacked, and every man will be glad of those conscience-soothing falsities, and will diligently study them, and refuse to examine any refutations of them; and thus he will by and by convince himself that the war is just, and will thank God for the better sleep he enjoys after this process of grotesque self-deception. -- Mark Twain
Re: Bug#257775: AddDefaultCharset default setting is misleading
On Tue, 6 Jul 2004, Fabio Massimo Di Nitto wrote: On Tue, 6 Jul 2004, [utf-8] Marc Dequènes wrote: Coin, Since setting AddDefaultCharset off can imply security problem we will never switch it to off. For more information please check the previous URL and the apache documentation on httpd.apache.org I'm OK with all this. May i suggest you add a small note in 'README.Debian' with links (especially http://httpd.apache.org/info/css-security/encoding_examples.html) so as people to understand and not reopen a bug when the old ones are archived ? It's now added to the README.Debian and it will be part of the next apache upload. Fabio -- user fajita: step one fajita Whatever the problem, step one is always to look in the error log. user fajita: step two fajita When in danger or in doubt, step two is to scream and shout.
Bug#257775: AddDefaultCharset default setting is misleading
Package: apache Severity: minor Coin, Default setting is on by default, so apache force a specific encoding. Most users, and some not complete newbie, are unable to understand why their site is not working as expected, and some (kov) may wonder why their browser is not rendering it properly. As activating this setting is pretty much unuseful for a large majority of users, i suggest deactivating it in future release. Thx -- Marc Dequnes (Duck) pgpqI7KFNxf8p.pgp Description: PGP signature