Bug 391041

Summary:	www-servers/apache 2.2 - suexec and django non-ASCII file upload incompatibility as apache cut out LANG and LC_ALL variables
Product:	Gentoo Linux	Reporter:	Raimods <r>
Component:	[OLD] Server	Assignee:	Lars Wendler (Polynomial-C) (RETIRED) <polynomial-c>
Status:	RESOLVED TEST-REQUEST
Severity:	normal	CC:	mail
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:
Package list:		Runtime testing required:	---

Description Raimods 2011-11-19 19:14:34 UTC

Running cgi scripts with apache suexec, the suexec clean down variables , what not defined in apache's support/suexec.c file. This is according with apache docs: http://httpd.apache.org/docs/2.2/env.html , paragraph "Some Caveats".

But there is problem with non-ASCII file names upload with some python aplications (for example Django), running with suexec and mod_fcgid. There are required LANG and LC_ALL variables passed to CGI scripts, more infotions are there: http://stackoverflow.com/questions/6171278/unicode-in-django-admin , and https://code.djangoproject.com/wiki/django_apache_and_mod_wsgi#Additional%20Tweaking .

As it looks, then the only possible solution is add variable names to apache's support/suexec.c file. I propose add small patch with LANG and LC_ALL environments to gentoo apache patchset:

--- support/suexec.c.old	2011-11-19 19:48:45.994452000 +0200
+++ support/suexec.c	2011-11-19 19:49:39.351042000 +0200
@@ -98,6 +98,8 @@
     "SSL_",
 
     /* variable name is */
+    "LANG=",
+    "LC_ALL=",
     "AUTH_TYPE=",
     "CONTENT_LENGTH=",
     "CONTENT_TYPE=",

I think they are safe and will not cause any harm to anyone, but the abandonment of the suexec in which case could lower the level of security.

Reproducible: Always

Comment 1 Arfrever Frehtes Taifersar Arahesis 2011-11-22 23:07:53 UTC

Could you report your suggestion to upstream?
https://issues.apache.org/bugzilla/

Comment 2 Pacho Ramos gentoo-dev

2016-02-08 18:48:38 UTC

Is this still valid with apache-2.4?