From 74674c3d561679dccdb36c77e389c039bd918904 Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Thu, 9 Oct 2025 14:10:14 +0200
Subject: [PATCH] Fix GH-19817: Decode SCRIPT_FILENAME issue in php 8.5
 (#20114)

This changes default for fastcgi.script_path_encoded INI to have
default behavior without a BC break. There has been already issue
about this in RC so it is very likely that it could have much bigger
impact so it's better to be safe.
---
 UPGRADING                                               | 2 +-
 php.ini-development                                     | 8 ++++----
 php.ini-production                                      | 8 ++++----
 sapi/fpm/fpm/fpm_main.c                                 | 4 ++--
 sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-decoding.phpt | 1 +
 sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-encoded.phpt  | 3 +--
 6 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/UPGRADING b/UPGRADING
index 2fa248c24d5..94ee9cacb9f 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -341,7 +341,7 @@ PHP 8.5 UPGRADE NOTES
     default.
 
 - FPM:
-  . FPM with httpd ProxyPass decodes the full script path. Added
+  . FPM with httpd ProxyPass optionally decodes the full script path. Added
     fastcgi.script_path_encoded INI setting to prevent this new behavior.
   . FPM access log limit now respects log_limit value.
 
diff --git a/php.ini-development b/php.ini-development
index 7018682fb0d..6f93f440112 100644
--- a/php.ini-development
+++ b/php.ini-development
@@ -807,10 +807,10 @@ enable_dl = Off
 ;fastcgi.impersonate = 1
 
 ; Prevent decoding of SCRIPT_FILENAME when using Apache ProxyPass or
-; ProxyPassMatch. This should only be used if script file paths are already
-; stored in an encoded format on the file system.
-; Default is 0.
-;fastcgi.script_path_encoded = 1
+; ProxyPassMatch. This should be used if script file paths are not stored
+; in an encoded format on the file system.
+; Default is 1.
+;fastcgi.script_path_encoded = 0
 
 ; Disable logging through FastCGI connection. PHP's default behavior is to enable
 ; this feature.
diff --git a/php.ini-production b/php.ini-production
index 602d005afd5..9aafad21e9c 100644
--- a/php.ini-production
+++ b/php.ini-production
@@ -809,10 +809,10 @@ enable_dl = Off
 ;fastcgi.impersonate = 1
 
 ; Prevent decoding of SCRIPT_FILENAME when using Apache ProxyPass or
-; ProxyPassMatch. This should only be used if script file paths are already
-; stored in an encoded format on the file system.
-; Default is 0.
-;fastcgi.script_path_encoded = 1
+; ProxyPassMatch. This should be used if script file paths are not stored
+; in an encoded format on the file system.
+; Default is 1.
+;fastcgi.script_path_encoded = 0
 
 ; Disable logging through FastCGI connection. PHP's default behavior is to enable
 ; this feature.
diff --git a/sapi/fpm/fpm/fpm_main.c b/sapi/fpm/fpm/fpm_main.c
index fa2417122e7..cc89b8c07c1 100644
--- a/sapi/fpm/fpm/fpm_main.c
+++ b/sapi/fpm/fpm/fpm_main.c
@@ -1435,7 +1435,7 @@ PHP_INI_BEGIN()
 	STD_PHP_INI_BOOLEAN("cgi.nph",                     "0",  PHP_INI_ALL,    OnUpdateBool,   nph, php_cgi_globals_struct, php_cgi_globals)
 	STD_PHP_INI_BOOLEAN("cgi.fix_pathinfo",            "1",  PHP_INI_SYSTEM, OnUpdateBool,   fix_pathinfo, php_cgi_globals_struct, php_cgi_globals)
 	STD_PHP_INI_BOOLEAN("cgi.discard_path",            "0",  PHP_INI_SYSTEM, OnUpdateBool,   discard_path, php_cgi_globals_struct, php_cgi_globals)
-	STD_PHP_INI_BOOLEAN("fastcgi.script_path_encoded", "0",  PHP_INI_SYSTEM, OnUpdateBool,   fcgi_script_path_encoded, php_cgi_globals_struct, php_cgi_globals)
+	STD_PHP_INI_BOOLEAN("fastcgi.script_path_encoded", "1",  PHP_INI_SYSTEM, OnUpdateBool,   fcgi_script_path_encoded, php_cgi_globals_struct, php_cgi_globals)
 	STD_PHP_INI_BOOLEAN("fastcgi.logging",             "1",  PHP_INI_SYSTEM, OnUpdateBool,   fcgi_logging, php_cgi_globals_struct, php_cgi_globals)
 	STD_PHP_INI_ENTRY("fastcgi.error_header",          NULL, PHP_INI_SYSTEM, OnUpdateString, error_header, php_cgi_globals_struct, php_cgi_globals)
 	STD_PHP_INI_ENTRY("fpm.config",                    NULL, PHP_INI_SYSTEM, OnUpdateString, fpm_config, php_cgi_globals_struct, php_cgi_globals)
@@ -1448,7 +1448,7 @@ static void php_cgi_globals_ctor(php_cgi_globals_struct *php_cgi_globals)
 	php_cgi_globals->nph = 0;
 	php_cgi_globals->fix_pathinfo = 1;
 	php_cgi_globals->discard_path = 0;
-	php_cgi_globals->fcgi_script_path_encoded = 0;
+	php_cgi_globals->fcgi_script_path_encoded = 1;
 	php_cgi_globals->fcgi_logging = 1;
 	php_cgi_globals->fcgi_logging_request_started = false;
 	zend_hash_init(&php_cgi_globals->user_config_cache, 0, NULL, user_config_cache_entry_dtor, 1);
diff --git a/sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-decoding.phpt b/sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-decoding.phpt
index d6189107fb8..251a634b0b7 100644
--- a/sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-decoding.phpt
+++ b/sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-decoding.phpt
@@ -18,6 +18,7 @@ pm.start_servers = 1
 pm.min_spare_servers = 1
 pm.max_spare_servers = 3
 php_admin_value[cgi.fix_pathinfo] = yes
+php_admin_value[fastcgi.script_path_encoded] = no
 EOT;
 
 $code = <<<EOT
diff --git a/sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-encoded.phpt b/sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-encoded.phpt
index 3b5ccc86b69..32e4d28c4fc 100644
--- a/sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-encoded.phpt
+++ b/sapi/fpm/tests/fcgi-env-pif-apache-pp-sfp-encoded.phpt
@@ -1,5 +1,5 @@
 --TEST--
-FPM: FastCGI change for Apache ProxyPass SCRIPT_FILENAME decoding - fallback (GH-17645)
+FPM: FastCGI change for Apache ProxyPass SCRIPT_FILENAME decoding - default (GH-17645)
 --SKIPIF--
 <?php include "skipif.inc"; ?>
 --FILE--
@@ -18,7 +18,6 @@ pm.start_servers = 1
 pm.min_spare_servers = 1
 pm.max_spare_servers = 3
 php_admin_value[cgi.fix_pathinfo] = yes
-php_admin_value[fastcgi.script_path_encoded] = yes
 EOT;
 
 $code = <<<EOT