[BUGFIX] Correctly resolve instance script path

Calling a site using http://example.org/index.php/invalid/ leads to
~/index.php/whatever/ being used as internal script path, which causes
errors or internal side-effects.

This behavior seems to occur only on web-servers using Apache with
PHP-CGI or PHP-FPM, using PHP setting `cgi.fix_pathinfo = 1`.

In case `cgi.fix_pathinfo` is enabled, the current script name is
retrieved from `$_SERVER['SCRIPT_FILENAME']` instead.

Resolves: #97543
Releases: main, 11.5, 10.4
Change-Id: Ia5f6b705253d42d4fc409b90b21d0363c4b97974
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74505


Tested-by: core-ci <typo3@b13.com>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>

typo3/sysext/core/Classes/Core/Environment.php

@@ -324,6 +324,11 @@ class Environment
         return in_array(PHP_SAPI, self::$supportedCgiServerApis, true);
     }
 
+    public static function usesCgiFixPathInfo(): bool
+    {
+        return !empty(ini_get('cgi.fix_pathinfo'));
+    }
+
     /**
      * Returns the currently configured Environment information as array.
      *

typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php

@@ -313,8 +313,12 @@ class SystemEnvironmentBuilder
      */
     protected static function getPathThisScriptNonCli()
     {
+        $isCgi = Environment::isRunningOnCgiServer();
+        if ($isCgi && Environment::usesCgiFixPathInfo()) {
+            return $_SERVER['SCRIPT_FILENAME'];
+        }
         $cgiPath = $_SERVER['ORIG_PATH_TRANSLATED'] ?? $_SERVER['PATH_TRANSLATED'] ?? '';
-        if ($cgiPath && Environment::isRunningOnCgiServer()) {
+        if ($cgiPath && $isCgi) {
             return $cgiPath;
         }
         return $_SERVER['ORIG_SCRIPT_FILENAME'] ?? $_SERVER['SCRIPT_FILENAME'];