From d08fdb074dee7bd242535e5af310dca872b4de74 Mon Sep 17 00:00:00 2001
From: catch <catch@35733.no-reply.drupal.org>
Date: Fri, 26 May 2023 12:22:21 +0100
Subject: [PATCH] Issue #3358514 by poker10, mcdruid, smustgrave: Make phpinfo
 on the admin status report configurable

---
 core/assets/scaffold/files/default.settings.php | 17 +++++++++++++++++
 .../src/Controller/SystemInfoController.php     |  4 +++-
 .../tests/src/Functional/System/StatusTest.php  |  9 +++++++++
 sites/default/default.settings.php              | 17 +++++++++++++++++
 4 files changed, 46 insertions(+), 1 deletion(-)

diff --git a/core/assets/scaffold/files/default.settings.php b/core/assets/scaffold/files/default.settings.php
index 81a6dbf3d0ba..c0b18427ae94 100644
--- a/core/assets/scaffold/files/default.settings.php
+++ b/core/assets/scaffold/files/default.settings.php
@@ -560,6 +560,23 @@
  */
 # $settings['file_sa_core_2023_005_schemes'] = ['porcelain'];
 
+/**
+ * Configuration for phpinfo() admin status report.
+ *
+ * Drupal's admin UI includes a report at admin/reports/status/php which shows
+ * the output of phpinfo(). The full output can contain sensitive information
+ * so by default Drupal removes some sections.
+ *
+ * This behaviour can be configured by setting this variable to a different
+ * value corresponding to the flags parameter of phpinfo().
+ *
+ * If you need to expose more information in the report - for example to debug a
+ * problem - consider doing so temporarily.
+ *
+ * @see https://www.php.net/manual/function.phpinfo.php
+ */
+# $settings['sa_core_2023_004_phpinfo_flags'] = ~ (INFO_VARIABLES | INFO_ENVIRONMENT);
+
 /**
  * Private file path:
  *
diff --git a/core/modules/system/src/Controller/SystemInfoController.php b/core/modules/system/src/Controller/SystemInfoController.php
index 7ba496bf4fc1..16f8bf946bf8 100644
--- a/core/modules/system/src/Controller/SystemInfoController.php
+++ b/core/modules/system/src/Controller/SystemInfoController.php
@@ -2,6 +2,7 @@
 
 namespace Drupal\system\Controller;
 
+use Drupal\Core\Site\Settings;
 use Symfony\Component\DependencyInjection\ContainerInterface;
 use Symfony\Component\HttpFoundation\Response;
 use Drupal\Core\DependencyInjection\ContainerInjectionInterface;
@@ -62,7 +63,8 @@ public function status() {
   public function php() {
     if (function_exists('phpinfo')) {
       ob_start();
-      phpinfo(~ (INFO_VARIABLES | INFO_ENVIRONMENT));
+      $phpinfo_flags = Settings::get('sa_core_2023_004_phpinfo_flags', ~ (INFO_VARIABLES | INFO_ENVIRONMENT));
+      phpinfo($phpinfo_flags);
       $output = ob_get_clean();
     }
     else {
diff --git a/core/modules/system/tests/src/Functional/System/StatusTest.php b/core/modules/system/tests/src/Functional/System/StatusTest.php
index deca8335291e..6046732b2acc 100644
--- a/core/modules/system/tests/src/Functional/System/StatusTest.php
+++ b/core/modules/system/tests/src/Functional/System/StatusTest.php
@@ -93,6 +93,15 @@ public function testStatusPage() {
     $this->drupalGet('admin/reports/status/php');
     $this->assertSession()->statusCodeEquals(200);
 
+    $settings['settings']['sa_core_2023_004_phpinfo_flags'] = (object) [
+      'value' => INFO_ALL,
+      'required' => TRUE,
+    ];
+    $this->writeSettings($settings);
+    $this->drupalGet('admin/reports/status/php');
+    $this->assertSession()->pageTextContains('PHP');
+    $this->assertSession()->pageTextContains('$_COOKIE');
+
     // Check if cron error is displayed in errors section.
     $cron_last_run = \Drupal::state()->get('system.cron_last');
     \Drupal::state()->set('system.cron_last', 0);
diff --git a/sites/default/default.settings.php b/sites/default/default.settings.php
index 81a6dbf3d0ba..c0b18427ae94 100644
--- a/sites/default/default.settings.php
+++ b/sites/default/default.settings.php
@@ -560,6 +560,23 @@
  */
 # $settings['file_sa_core_2023_005_schemes'] = ['porcelain'];
 
+/**
+ * Configuration for phpinfo() admin status report.
+ *
+ * Drupal's admin UI includes a report at admin/reports/status/php which shows
+ * the output of phpinfo(). The full output can contain sensitive information
+ * so by default Drupal removes some sections.
+ *
+ * This behaviour can be configured by setting this variable to a different
+ * value corresponding to the flags parameter of phpinfo().
+ *
+ * If you need to expose more information in the report - for example to debug a
+ * problem - consider doing so temporarily.
+ *
+ * @see https://www.php.net/manual/function.phpinfo.php
+ */
+# $settings['sa_core_2023_004_phpinfo_flags'] = ~ (INFO_VARIABLES | INFO_ENVIRONMENT);
+
 /**
  * Private file path:
  *
-- 
GitLab