Remove AddDefaultCharset from the default configuration because (8d5c6107) · Commits · CYBER - Cyber Security / TS 103 523 MSP / TLMSP / TLMSP Apache Httpd

CHANGES

+4 −0

Original line number	Diff line number	Diff line
		@@ -2,6 +2,10 @@ Changes with Apache 2.1.3

		[Remove entries to the current 2.0 section below, when backported]

		*) conf: Remove AddDefaultCharset from the default configuration because
		setting a site-wide default does more harm than good. PR 23421.
		[Roy Fielding]

		Changes with Apache 2.1.2

		*) mod_proxy: Respect errors reported by pre_connection hooks.

docs/conf/httpd-std.conf.in

+0 −12

Original line number	Diff line number	Diff line
		@@ -813,18 +813,6 @@ ServerSignature On
		</IfModule>

		<IfModule mod_mime.c>
		#
		# Specify a default charset for all pages sent out. This is
		# always a good idea and opens the door for future internationalisation
		# of your web site, should you ever want it. Specifying it as
		# a default does little harm; as the standard dictates that a page
		# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
		# are merely stating the obvious. There are also some security
		# reasons in browsers, related to javascript and URL parsing
		# which encourage you to always set a default char set.
		#
		AddDefaultCharset ISO-8859-1

		#
		# Commonly used filename extensions to character sets. You probably
		# want to avoid clashes with the language extensions, unless you

docs/conf/httpd-win.conf

+0 −12

Original line number	Diff line number	Diff line
		@@ -758,18 +758,6 @@ LanguagePriority en ca cs da de el eo es et fr he hr it ja ko ltz nl nn no pl pt
		#
		ForceLanguagePriority Prefer Fallback

		#
		# Specify a default charset for all pages sent out. This is
		# always a good idea and opens the door for future internationalisation
		# of your web site, should you ever want it. Specifying it as
		# a default does little harm; as the standard dictates that a page
		# is in iso-8859-1 (latin1) unless specified otherwise i.e. you
		# are merely stating the obvious. There are also some security
		# reasons in browsers, related to javascript and URL parsing
		# which encourage you to always set a default char set.
		#
		AddDefaultCharset ISO-8859-1

		#
		# Commonly used filename extensions to character sets. You probably
		# want to avoid clashes with the language extensions, unless you

docs/manual/mod/core.xml

+27 −12

Original line number	Diff line number	Diff line
		@@ -139,8 +139,8 @@ available</description>

		<directivesynopsis>
		<name>AddDefaultCharset</name>
		<description>Default character set to be added for a
		response without an explicit character set</description>
		<description>Default charset parameter to be added when a response
		content-type is "text/plain" or "text/html"</description>
		<syntax>AddDefaultCharset On\|Off\|<var>charset</var></syntax>
		<default>AddDefaultCharset Off</default>
		<contextlist><context>server config</context>
		@@ -149,21 +149,36 @@ response without an explicit character set</description>
		<override>FileInfo</override>

		<usage>
		<p>This directive specifies the name of the character set that
		will be added to any response that does not have any parameter on
		the content type in the HTTP headers. This will override any
		character set specified in the body of the document via a
		<code>META</code> tag. A setting of <code>AddDefaultCharset
		Off</code> disables this
		functionality. <code>AddDefaultCharset On</code> enables
		Apache's internal default charset of <code>iso-8859-1</code> as
		required by the directive. You can also specify an alternate
		<var>charset</var> to be used. For example:</p>
		<p>This directive specifies a default value for the media type
		charset parameter (the name of a character encoding) to be added
		to a response if and only if the response's content-type is either
		"text/plain" or "text/html". This should override any charset
		specified in the body of the document via a <code>META</code> tag,
		though the exact behavior is often dependent on the user's client
		configuration. A setting of <code>AddDefaultCharset Off</code>
		disables this functionality. <code>AddDefaultCharset On</code> enables
		a default charset of <code>iso-8859-1</code>. Any other value is assumed
		to be the <var>charset</var> to be used, which should be one of the
		<a href="http://www.iana.org/assignments/character-sets">IANA registered
		charset values</a> for use in MIME media types.
		For example:</p>

		<example>
		AddDefaultCharset utf-8
		</example>

		<p><code>AddDefaultCharset</code> should only be used when all
		of the text resources to which it applies are known to be in that
		character encoding and it is too inconvenient to label their charset
		individually. One such example is to add the charset parameter
		to resources containing generated content, such as legacy CGI
		scripts, that might be vulnerable to cross-site scripting attacks
		due to user-provided data being included in the output. Note, however,
		that a better solution is to just fix (or delete) those scripts, since
		setting a default charset does not protect users that have enabled
		the "auto-detect character encoding" feature on their browser.</p>
		</usage>
		<seealso><directive module="mod_mime">AddCharset</directive></seealso>
		</directivesynopsis>

		<directivesynopsis>

docs/manual/mod/mod_mime.xml

+2 −1

Original line number	Diff line number	Diff line
		@@ -235,7 +235,8 @@ charset</description>
		<usage>
		<p>The <directive>AddCharset</directive> directive maps the given
		filename extensions to the specified content charset. <var>charset</var>
		is the MIME charset parameter of filenames containing
		is the <a href="http://www.iana.org/assignments/character-sets">MIME
		charset parameter</a> of filenames containing
		<var>extension</var>. This mapping is added to any already in force,
		overriding any mappings that already exist for the same
		<var>extension</var>.</p>