You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The register_argc_argv directive in php.ini is currently enabled by default. When active, this legacy setting causes all GET parameters to be included in $_SERVER['argv'] for every request. Applications that rely on $_SERVER['argv'] without properly checking the request environment (SAPI) can become vulnerable to serious attacks, as demonstrated by CVE-2024-56145.
Since most modern PHP applications do not depend on this feature, disabling register_argc_argv by default should have minimal impact on real-world deployments.
The
register_argc_argvdirective inphp.iniis currently enabled by default. When active, this legacy setting causes all GET parameters to be included in$_SERVER['argv']for every request. Applications that rely on$_SERVER['argv']without properly checking the request environment (SAPI) can become vulnerable to serious attacks, as demonstrated by CVE-2024-56145.Since most modern PHP applications do not depend on this feature, disabling
register_argc_argvby default should have minimal impact on real-world deployments.The PHP documentation: https://www.php.net/manual/en/ini.core.php#ini.register-argc-argv.
The text was updated successfully, but these errors were encountered: