Hey, I recently opened an issue on GitHub [1] to discuss setting register_argc_argv to Off by default for all SAPIs but cli, embed, and phpdbg. Ilija Tovilo suggested including this change in 8.4.0.
Even though most downstream distributions already turn it off, that's not the case everywhere. For instance, the official Docker image has it on [2]. Outside of performance reasons, this also has a security impact because it eases the exploitation of limited LFI bugs [3] and CLI tools stored under the web root [4]. -Thomas [1]: https://github.com/php/php-src/issues/12344 [2]: https://hub.docker.com/_/php [3]: https://www.youtube.com/watch?v=yq2rq50IMSQ [4]: https://github.com/advisories/GHSA-jm6m-4632-36hf -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: https://www.php.net/unsub.php
