Disable register_argc_argv by default #535
Description
The register_argc_argv directive in php.ini is currently enabled by default. When active, this legacy setting causes all GET parameters to be included in $_SERVER['argv'] for every request. Applications that rely on $_SERVER['argv'] without properly checking the request environment (SAPI) can become vulnerable to serious attacks, as demonstrated by CVE-2024-56145.
Since most modern PHP applications do not depend on this feature, disabling register_argc_argv by default should have minimal impact on real-world deployments.
The PHP documentation: https://www.php.net/manual/en/ini.core.php#ini.register-argc-argv.