From 4f0960a800202323ac0b9d1d8041ad8dce31db98 Mon Sep 17 00:00:00 2001
From: "Christoph M. Becker" <cmbecker69@gmx.de>
Date: Mon, 26 Sep 2016 18:16:50 +0200
Subject: Fix #53745: cgi.discard_path option is missing from php.ini

Also cgi.check_shebang_line has been missing.
---
 php.ini-development | 12 ++++++++++++
 php.ini-production  | 12 ++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/php.ini-development b/php.ini-development
index d38f672a59..76f2174f5e 100644
--- a/php.ini-development
+++ b/php.ini-development
@@ -770,6 +770,11 @@ enable_dl = Off
 ; http://php.net/cgi.fix-pathinfo
 ;cgi.fix_pathinfo=1
 
+; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
+; of the web tree and people will not be able to circumvent .htaccess security.
+; http://php.net/cgi.dicard-path
+;cgi.discard_path=1
+
 ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
 ; security tokens of the calling client.  This allows IIS to define the
 ; security context that the request runs under.  mod_fastcgi under Apache
@@ -790,6 +795,13 @@ enable_dl = Off
 ; http://php.net/cgi.rfc2616-headers
 ;cgi.rfc2616_headers = 0
 
+; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
+; (shebang) at the top of the running script. This line might be needed if the
+; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
+; mode skips this line and ignores its content if this directive is turned on.
+; http://php.net/cgi.check-shebang-line
+;cgi.check_shebang_line=1
+
 ;;;;;;;;;;;;;;;;
 ; File Uploads ;
 ;;;;;;;;;;;;;;;;
diff --git a/php.ini-production b/php.ini-production
index d295c46392..b593c24230 100644
--- a/php.ini-production
+++ b/php.ini-production
@@ -770,6 +770,11 @@ enable_dl = Off
 ; http://php.net/cgi.fix-pathinfo
 ;cgi.fix_pathinfo=1
 
+; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
+; of the web tree and people will not be able to circumvent .htaccess security.
+; http://php.net/cgi.dicard-path
+;cgi.discard_path=1
+
 ; FastCGI under IIS (on WINNT based OS) supports the ability to impersonate
 ; security tokens of the calling client.  This allows IIS to define the
 ; security context that the request runs under.  mod_fastcgi under Apache
@@ -790,6 +795,13 @@ enable_dl = Off
 ; http://php.net/cgi.rfc2616-headers
 ;cgi.rfc2616_headers = 0
 
+; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
+; (shebang) at the top of the running script. This line might be needed if the
+; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
+; mode skips this line and ignores its content if this directive is turned on.
+; http://php.net/cgi.check-shebang-line
+;cgi.check_shebang_line=1
+
 ;;;;;;;;;;;;;;;;
 ; File Uploads ;
 ;;;;;;;;;;;;;;;;
-- 
cgit v1.2.1