Forgot to CC the list. On Wed, Apr 2, 2014 at 8:51 AM, Michael Snoyman wrote:

I'm not sure if Mighty is really vulnerable to this attack. IIUC, you're worried about a static file receiving some compromised data from a user which includes a UTF-7 sequence. However, Mighty is only serving static data files (as opposed to generating HTML from a database query or something), so if a user is able to compromise those already, it sounds like *nothing* you can do would prevent an attack.

I suppose theoretically you could be talking about a situation where Mighty is hosting a CGI application that receives user data and produces a static HTML file as a result. In that case, you would be open to an attack. But it could be worked around by the CGI application using <meta charset=...> instead.

Putting aside the question of this specific attack for the moment, what would be the advantages and disadvantages of forcing charset=utf-8?

* Advantage: if the data is actually UTF-8, the browser will always treat it as such. Without such a specification, a browser is free to guess at some other character encoding. * Disadvantage: if the data isn't actually UTF-8, then the browser will have no ability to try to guess the correct encoding instead.

So that comes to the question: is it safe for Mighty, mime-types, etc, to require that all HTML files are stored as UTF-8? I'd say, as long as there's a way for a user to override that if necessary, it sounds good to me. mime-types does provide such a capability, so I'd be in favor of tweaking its textual types to include explicit charset information.

On Wed, Apr 2, 2014 at 8:02 AM, Kazu Yamamoto wrote:

...

Hi all,

I heard that if an HTTP server does not specify charset for text/html in HTTP responses, XSS would be possible:

http://openmya.hacker.jp/hasegawa/security/utf7cs.html

I would like to change Mighty to specify charset=UTF-8. Before that, I would like to discuss some items on this ML.

- Can we assume that recent contents are written in UTF-8? For Japanese community, the answer is probably YES. - Which components should spcify charset=UTF-8? The mime-types package?

--Kazu _______________________________________________ web-devel mailing list web-devel@haskell.org http://www.haskell.org/mailman/listinfo/web-devel