Re: Character encoding mismatch

On Wed, Nov 13, 2002 at 06:11:10PM -0500, Tex Texin wrote:
> Chris, I have some instructions for Apache on a web page:
> If you follow the instructions for creating a .htaccess file in the
> directory with your web pages, you will get the right http charset
> without disturbing your web admin.
> (Assuming typical server admin configuration...)
> The examples are for Unicode UTF-8, but you can use other charsets if
> needed.
> tex

AddCharset, AddDefaultCharset, and AddType are probably the places
to start looking for solutions. (Apache has other internationalization
features that may be of interest.)

Apache allows a considerable number of directives in .htaccess files
but also allows the system adminstrator to turn off broad
blocks of these directives. This accounts for site-specific
differences in what you can do. See the AllowOverride directive
and the "Context" and "Override" sections in all entries of the
command reference. Unfortunately there is a security issue
here: All the Add<something> directives are the same
section "FileInfo" as the AddType and AddHandler directives,
both of which can be used to turn on execution of CGI scripts.
(AddType via the magic MIME type: "application/x-httpd-cgi")

So if a site wants to enforce auditing of CGI scripts they have
to restrict a lot of otherwise useful features to the central
configuration files. If you can't use .htaccess for such
reasons, try to get the server admin to change the defaults
of a per-directory-tree basis: that has much less of these
security issues.

    Albert Lunde (new address)
                 (old address)

Received on Wednesday, 13 November 2002 23:51:44 UTC