From de1a11ea785eeb76717187c87e044ccc93022bd5 Mon Sep 17 00:00:00 2001
From: Alex Pott <alex.a.pott@googlemail.com>
Date: Sat, 16 Dec 2023 08:22:15 +0000
Subject: [PATCH] Issue #2463967 by Darren Oh, tunic, andypost, alexpott,
 quietone, mstrelan, longwave: Add PHP settings to .user.ini

---
 .htaccess                                             | 11 +++++++----
 .user.ini                                             | 10 ++++++++++
 composer.lock                                         |  3 ++-
 core/assets/scaffold/files/htaccess                   | 11 +++++++----
 core/assets/scaffold/files/user.ini                   | 10 ++++++++++
 core/assets/scaffold/files/web.config                 |  2 +-
 core/composer.json                                    |  1 +
 .../system/tests/fixtures/HtaccessTest/.user.ini      |  0
 .../tests/src/Functional/System/HtaccessTest.php      |  1 +
 web.config                                            |  2 +-
 10 files changed, 40 insertions(+), 11 deletions(-)
 create mode 100644 .user.ini
 create mode 100644 core/assets/scaffold/files/user.ini
 create mode 100644 core/modules/system/tests/fixtures/HtaccessTest/.user.ini

diff --git a/.htaccess b/.htaccess
index 4031da475cfb..b0b55d586499 100644
--- a/.htaccess
+++ b/.htaccess
@@ -1,9 +1,9 @@
 #
-# Apache/PHP/Drupal settings:
+# Apache/mod_php/Drupal settings:
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|\.user\.ini)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
@@ -24,8 +24,11 @@ AddEncoding gzip svgz
 
 # Most of the following PHP settings cannot be changed at runtime. See
 # sites/default/default.settings.php and
-# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
-# changed at runtime.
+# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
+# at runtime.
+#
+# PHP only reads settings from this file if it is running as an Apache module.
+# If PHP is running as a CGI script, see .user.ini.
 <IfModule mod_php.c>
   php_value assert.active                   0
 </IfModule>
diff --git a/.user.ini b/.user.ini
new file mode 100644
index 000000000000..95d89560ff10
--- /dev/null
+++ b/.user.ini
@@ -0,0 +1,10 @@
+; Most of the following PHP settings cannot be changed at runtime. See
+; sites/default/default.settings.php and
+; Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
+; at runtime.
+;
+; PHP only reads settings from this file if it is running as a CGI script. If
+; PHP is running as an Apache module, see .htaccess.
+
+; Disable PHP assertions.
+assert.active = 0
diff --git a/composer.lock b/composer.lock
index ccd477eac316..e239adab8e9d 100644
--- a/composer.lock
+++ b/composer.lock
@@ -495,7 +495,7 @@
             "dist": {
                 "type": "path",
                 "url": "core",
-                "reference": "cc2af7de02a19bfde449293a84468f5fb1e33cea"
+                "reference": "436f1c4b149b110c60db014909edf6ff2e6fc9f9"
             },
             "require": {
                 "asm89/stack-cors": "^2.1",
@@ -585,6 +585,7 @@
                         "[web-root]/.eslintrc.json": "assets/scaffold/files/eslintrc.json",
                         "[web-root]/.ht.router.php": "assets/scaffold/files/ht.router.php",
                         "[web-root]/.htaccess": "assets/scaffold/files/htaccess",
+                        "[web-root]/.user.ini": "assets/scaffold/files/user.ini",
                         "[web-root]/example.gitignore": "assets/scaffold/files/example.gitignore",
                         "[web-root]/index.php": "assets/scaffold/files/index.php",
                         "[web-root]/INSTALL.txt": "assets/scaffold/files/drupal.INSTALL.txt",
diff --git a/core/assets/scaffold/files/htaccess b/core/assets/scaffold/files/htaccess
index 4031da475cfb..b0b55d586499 100644
--- a/core/assets/scaffold/files/htaccess
+++ b/core/assets/scaffold/files/htaccess
@@ -1,9 +1,9 @@
 #
-# Apache/PHP/Drupal settings:
+# Apache/mod_php/Drupal settings:
 #
 
 # Protect files and directories from prying eyes.
-<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
+<FilesMatch "\.(engine|inc|install|make|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml)(~|\.sw[op]|\.bak|\.orig|\.save)?$|^(\.(?!well-known).*|Entries.*|Repository|Root|Tag|Template|composer\.(json|lock)|web\.config|yarn\.lock|package\.json|\.user\.ini)$|^#.*#$|\.php(~|\.sw[op]|\.bak|\.orig|\.save)$">
   <IfModule mod_authz_core.c>
     Require all denied
   </IfModule>
@@ -24,8 +24,11 @@ AddEncoding gzip svgz
 
 # Most of the following PHP settings cannot be changed at runtime. See
 # sites/default/default.settings.php and
-# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be
-# changed at runtime.
+# Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
+# at runtime.
+#
+# PHP only reads settings from this file if it is running as an Apache module.
+# If PHP is running as a CGI script, see .user.ini.
 <IfModule mod_php.c>
   php_value assert.active                   0
 </IfModule>
diff --git a/core/assets/scaffold/files/user.ini b/core/assets/scaffold/files/user.ini
new file mode 100644
index 000000000000..95d89560ff10
--- /dev/null
+++ b/core/assets/scaffold/files/user.ini
@@ -0,0 +1,10 @@
+; Most of the following PHP settings cannot be changed at runtime. See
+; sites/default/default.settings.php and
+; Drupal\Core\DrupalKernel::bootEnvironment() for settings that can be changed
+; at runtime.
+;
+; PHP only reads settings from this file if it is running as a CGI script. If
+; PHP is running as an Apache module, see .htaccess.
+
+; Disable PHP assertions.
+assert.active = 0
diff --git a/core/assets/scaffold/files/web.config b/core/assets/scaffold/files/web.config
index b769e45e3699..408b16d96fa6 100644
--- a/core/assets/scaffold/files/web.config
+++ b/core/assets/scaffold/files/web.config
@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json|.user.ini)$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>
 
diff --git a/core/composer.json b/core/composer.json
index 9ae3cab9bee5..05c7c56b12db 100644
--- a/core/composer.json
+++ b/core/composer.json
@@ -127,6 +127,7 @@
                 "[web-root]/.eslintrc.json": "assets/scaffold/files/eslintrc.json",
                 "[web-root]/.ht.router.php": "assets/scaffold/files/ht.router.php",
                 "[web-root]/.htaccess": "assets/scaffold/files/htaccess",
+                "[web-root]/.user.ini": "assets/scaffold/files/user.ini",
                 "[web-root]/example.gitignore": "assets/scaffold/files/example.gitignore",
                 "[web-root]/index.php": "assets/scaffold/files/index.php",
                 "[web-root]/INSTALL.txt": "assets/scaffold/files/drupal.INSTALL.txt",
diff --git a/core/modules/system/tests/fixtures/HtaccessTest/.user.ini b/core/modules/system/tests/fixtures/HtaccessTest/.user.ini
new file mode 100644
index 000000000000..e69de29bb2d1
diff --git a/core/modules/system/tests/src/Functional/System/HtaccessTest.php b/core/modules/system/tests/src/Functional/System/HtaccessTest.php
index 09046c446fc9..2a88bf768b13 100644
--- a/core/modules/system/tests/src/Functional/System/HtaccessTest.php
+++ b/core/modules/system/tests/src/Functional/System/HtaccessTest.php
@@ -98,6 +98,7 @@ protected function getProtectedFiles() {
     // Ensure web server configuration files cannot be accessed.
     $file_paths["$path/.htaccess"] = 403;
     $file_paths["$path/web.config"] = 403;
+    $file_paths["$path/.user.ini"] = 403;
 
     return $file_paths;
   }
diff --git a/web.config b/web.config
index b769e45e3699..408b16d96fa6 100644
--- a/web.config
+++ b/web.config
@@ -22,7 +22,7 @@
     <rewrite>
       <rules>
         <rule name="Protect files and directories from prying eyes" stopProcessing="true">
-          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json)$" />
+          <match url="\.(engine|inc|install|module|profile|po|sh|.*sql|theme|twig|tpl(\.php)?|xtmpl|yml|svn-base)$|^(code-style\.pl|Entries.*|Repository|Root|Tag|Template|all-wcprops|entries|format|composer\.(json|lock)|\.htaccess|yarn.lock|package.json|.user.ini)$" />
           <action type="CustomResponse" statusCode="403" subStatusCode="0" statusReason="Forbidden" statusDescription="Access is forbidden." />
         </rule>
 
-- 
GitLab