Ubuntu
apache2 package

[SRU] mod_autoindex not configured for UTF-8

Bug #193753 reported by John Nilsson on 2008-02-20

8

Affects		Status	Importance	Assigned to	Milestone
	apache2 (Ubuntu)	Fix Released	Low	Chuck Short
	Hardy	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: apache2.2-common

1. Install apache
2. Use autoindex to view a dir with UTF-8 encoded filenames
Result: Listing shown as ISO-8859-1

My fix: add Charset=UTF-8 to IndexOptions in /etc/apache2/mods-available/autoindex.conf

as such:
IndexOptions FancyIndexing VersionSort HTMLTable NameWidth=* DescriptionWidth=* Charset=UTF-8

This should be the default

Tags:

Revision history for this message

Chuck Short (zulcss) wrote on 2008-02-25:

#1

Thanks for the bugreport.

Changed in apache2:
importance:	Undecided → Wishlist
status:	New → Triaged

Revision history for this message

Chuck Short (zulcss) wrote on 2008-05-13:

#2

Trivial fix that I added to the ssl bugfix for hardy.

Thanks
chuck

Revision history for this message

Martin Pitt (pitti) wrote on 2008-05-14:

#3

Accepted into -proposed, please test and give feedback here

Changed in apache2:
status:	New → Fix Committed

Revision history for this message

Martin Pitt (pitti) wrote on 2008-05-14:

#4

Chuck, since we are otherwise in sync with Debian, can you please forward this fix to Debian? Thanks!

Revision history for this message

Martin Pitt (pitti) wrote on 2008-05-14:

#5

Verification part 1: With the hardy final apache2, I can reproduce this bug. I created a file ~/public_html/fooääbar€.txt, sudo a2enmod userdir, and I got the scrambled file listing on http://localhost/~martin/foo/.

Revision history for this message

Martin Pitt (pitti) wrote on 2008-05-14:

#6

I will do the verification for the -proposed package, assigning to me for this.

Changed in apache2:
assignee:	nobody → pitti
assignee:	nobody → zulcss
importance:	Wishlist → Low

Revision history for this message

Steve Langasek (vorlon) wrote on 2008-05-14:

#7

I'm very skeptical of including this change in an SRU, because there have been XSS vulnerabilities before in apache2 as a result of mod_autoindex charset handling. UTF-8 is certainly the reasonable default charset on Ubuntu, but it has been well before 8.04 as well, so I'm hesitant to have such a change made via SRU without some indication of why this wasn't changed much earlier.

Revision history for this message

Martin Pitt (pitti) wrote on 2008-05-14:

#8

I updated to the hardy-proposed version and confirmed that the directory listing is correct now.

Steve's question of whether this should be applied at all should still be discussed, of course.

Changed in apache2:
assignee:	pitti → nobody

Revision history for this message

Chuck Short (zulcss) wrote on 2008-05-14:

#9

The change wasnt made earlier because I might have forgotten it. It is already in debian so I dont see the harm, but it can be dropped if you wish.

chuck

Revision history for this message

Martin Pitt (pitti) wrote on 2008-05-22:

#10

Copied to hardy-updates.

Changed in apache2:
status:	Fix Committed → Fix Released

Chuck Short (zulcss) on 2008-06-05

Changed in apache2:
status:	Triaged → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.