The register_argc_argv directive in php.ini is currently enabled by default. When active, this legacy setting causes all GET parameters to be included in $_SERVER['argv'] for every request. Applications that rely on $_SERVER['argv'] without properly checking the request environment (SAPI) can become vulnerable to serious attacks, as demonstrated by CVE-2024-56145.
Since most modern PHP applications do not depend on this feature, disabling register_argc_argv by default should have minimal impact on real-world deployments.
The PHP documentation: https://www.php.net/manual/en/ini.core.php#ini.register-argc-argv.
The
register_argc_argvdirective inphp.iniis currently enabled by default. When active, this legacy setting causes all GET parameters to be included in$_SERVER['argv']for every request. Applications that rely on$_SERVER['argv']without properly checking the request environment (SAPI) can become vulnerable to serious attacks, as demonstrated by CVE-2024-56145.Since most modern PHP applications do not depend on this feature, disabling
register_argc_argvby default should have minimal impact on real-world deployments.The PHP documentation: https://www.php.net/manual/en/ini.core.php#ini.register-argc-argv.