Issue #2463967 by Darren Oh, tunic, andypost, alexpott, quietone, mstrelan,...

Issue #2463967 by Darren Oh, tunic, andypost, alexpott, quietone, mstrelan, longwave: Add PHP settings to .user.ini

.htaccess

 #
-# Apache/PHP/Drupal settings:
+# Apache/mod_php/Drupal settings:
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|\.user\.ini)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
@@ -24,8 +24,11 @@ AddEncoding gzip svgz
 
 # Most of the following PHP settings cannot be changed at runtime. See
 # sites/default/default.settings.php and
-# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
-# changed at runtime.
+# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
+# at runtime.
+#
+# PHP only reads settings from this file if it is running as an Apache module.
+# If PHP is running as a CGI script, see .user.ini.
 <IfModule mod_php.c>
   php_value assert.active                   0
 </IfModule>

.user.ini

+; Most of the following PHP settings cannot be changed at runtime. See
+; sites/default/default.settings.php and
+; Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
+; at runtime.
+;
+; PHP only reads settings from this file if it is running as a CGI script. If
+; PHP is running as an Apache module, see .htaccess.
+
+; Disable PHP assertions.
+assert.active = 0

composer.lock

@@ -495,7 +495,7 @@
             "dist": {
                 "type": "path",
                 "url": "core",
-                "reference": "cc2af7de02a19bfde449293a84468f5fb1e33cea"
+                "reference": "436f1c4b149b110c60db014909edf6ff2e6fc9f9"
             },
             "require": {
                 "asm89/stack-cors": "^2.1",
@@ -585,6 +585,7 @@
                         "[web-root]/.eslintrc.json": "assets/scaffold/files/eslintrc.json",
                         "[web-root]/.ht.router.php": "assets/scaffold/files/ht.router.php",
                         "[web-root]/.htaccess": "assets/scaffold/files/htaccess",
+                        "[web-root]/.user.ini": "assets/scaffold/files/user.ini",
                         "[web-root]/example.gitignore": "assets/scaffold/files/example.gitignore",
                         "[web-root]/index.php": "assets/scaffold/files/index.php",
                         "[web-root]/INSTALL.txt": "assets/scaffold/files/drupal.INSTALL.txt",

core/assets/scaffold/files/htaccess

 #
-# Apache/PHP/Drupal settings:
+# Apache/mod_php/Drupal settings:
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|\.user\.ini)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
@@ -24,8 +24,11 @@ AddEncoding gzip svgz
 
 # Most of the following PHP settings cannot be changed at runtime. See
 # sites/default/default.settings.php and
-# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
-# changed at runtime.
+# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
+# at runtime.
+#
+# PHP only reads settings from this file if it is running as an Apache module.
+# If PHP is running as a CGI script, see .user.ini.
 <IfModule mod_php.c>
   php_value assert.active                   0
 </IfModule>

core/assets/scaffold/files/user.ini

+; Most of the following PHP settings cannot be changed at runtime. See
+; sites/default/default.settings.php and
+; Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
+; at runtime.
+;
+; PHP only reads settings from this file if it is running as a CGI script. If
+; PHP is running as an Apache module, see .htaccess.
+
+; Disable PHP assertions.
+assert.active = 0

core/assets/scaffold/files/web.config

@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json|.user.ini)$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>
 

core/composer.json

@@ -127,6 +127,7 @@
                 "[web-root]/.eslintrc.json": "assets/scaffold/files/eslintrc.json",
                 "[web-root]/.ht.router.php": "assets/scaffold/files/ht.router.php",
                 "[web-root]/.htaccess": "assets/scaffold/files/htaccess",
+                "[web-root]/.user.ini": "assets/scaffold/files/user.ini",
                 "[web-root]/example.gitignore": "assets/scaffold/files/example.gitignore",
                 "[web-root]/index.php": "assets/scaffold/files/index.php",
                 "[web-root]/INSTALL.txt": "assets/scaffold/files/drupal.INSTALL.txt",

core/modules/system/tests/src/Functional/System/HtaccessTest.php

@@ -98,6 +98,7 @@ protected function getProtectedFiles() {
     // Ensure web server configuration files cannot be accessed.
     $file_paths["$path/.htaccess"] = 403;
     $file_paths["$path/web.config"] = 403;
+    $file_paths["$path/.user.ini"] = 403;
 
     return $file_paths;
   }

web.config

@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json|.user.ini)$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>