[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#565626: apache2.2-common: incorrect Content-Type and/or Content-Encoding based on file extension

Package: apache2.2-common
Version: 2.2.14-3
Severity: normal

In Debian's default configuration, Apache's mod_mime sets Content-Type to
application/x-gzip if a file has a .gz extension. This behavior is configured
in /etc/apache2/mods_available/mime.conf:
AddType application/x-gzip .gz .tgz

The .gz extension is recognized not only at the end but also in the middle
of a file name. If a file is named e.g. data.tar.gz.gpg, the content type
"application/x-gzip" is however very incorrect. The file is a PGP signature of
arbitrary data, not a further compressed or encrypted GZip file.

In /etc/apache2/mods_available/mime.conf, the following setting is also
suggested but commented out by default:
#AddEncoding x-gzip .gz .tgz

If this setting is uncommented, an incorrect Content-Encoding header is added
in a similar way to Content-Type. Apparently some HTTP clients and/or proxies
attempt to automatically gunzip such responses, which obviously fails in the
case presented above.

This is probably what happened with Ubuntu's package repositories, when
systems using a proxy (specifically apt-cacher) failed to upgrade. See
https://bugs.launchpad.net/ubuntu/+bug/245219 for more information.

A work-around for the .tar.gz.gpg case is to add an
AddType application/pgp-signature .gpg
directive and disable the AddEncoding directive for .gz.

The behavior of mod_mime with regard to multiple file extensions is
described here:
http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext

I disagree with the principle of matching a non-final extension even when
unknown extensions follow.

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authz_default authz_groupfile
  authz_host authz_user autoindex cgid deflate dir env mime
  negotiation setenvif status userdir wsgi

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-xen-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2.2-common depends on:
ii  apache2-utils                 2.2.14-3   utility programs for webservers
ii  apache2.2-bin                 2.2.14-3   Apache HTTP Server common binary f
ii  libmagic1                     5.03-3     File type determination library us
ii  lsb-base                      3.2-23     Linux Standard Base 3.2 init scrip
ii  mime-support                  3.47-1     MIME files 'mime.types' & 'mailcap
ii  perl                          5.10.1-8   Larry Wall's Practical Extraction 
ii  procps                        1:3.2.8-2  /proc file system utilities

Versions of packages apache2.2-common recommends:
ii  ssl-cert                      1.0.25     simple debconf wrapper for OpenSSL

Versions of packages apache2.2-common suggests:
pn  apache2-doc                   <none>     (no description available)
pn  apache2-suexec | apache2-suex <none>     (no description available)
pn  www-browser                   <none>     (no description available)

Versions of packages apache2.2-common is related to:
pn  apache2-mpm-event             <none>     (no description available)
pn  apache2-mpm-itk               <none>     (no description available)
pn  apache2-mpm-prefork           <none>     (no description available)
ii  apache2-mpm-worker            2.2.14-3   Apache HTTP Server - high speed th

-- no debconf information
Reply to: