From 6bebc19ef33a078f7a98d96585a3c1a6098a2a0d Mon Sep 17 00:00:00 2001
From: Larry Garfield <larry@garfieldtech.com>
Date: Thu, 16 Sep 2021 11:40:50 -0500
Subject: [PATCH] [TASK] Disable sub-request error pages by default

We can re-enable them by default when we're much more certain
that stateful services have been removed or properly handled.

Resolves: #95253
Related: #95174
Related: #94402
Releases: master
Change-Id: I820f48797a21ded4ce49b74ce11b9c1eb164b353
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/71107
Tested-by: core-ci <typo3@b13.com>
Tested-by: Simon Gilli <typo3@gilbertsoft.org>
Tested-by: Benjamin Franzke <bfr@qbus.de>
Reviewed-by: Simon Gilli <typo3@gilbertsoft.org>
Reviewed-by: Benjamin Franzke <bfr@qbus.de>
---
 .../core/Configuration/DefaultConfiguration.php   |  2 +-
 .../DefaultConfigurationDescription.yaml          |  2 +-
 ...erateErrorPagesViaTYPO3-internalSubRequest.rst | 15 ++++++++++-----
 3 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/typo3/sysext/core/Configuration/DefaultConfiguration.php b/typo3/sysext/core/Configuration/DefaultConfiguration.php
index 2e847d9e2677..8d1ae934499c 100644
--- a/typo3/sysext/core/Configuration/DefaultConfiguration.php
+++ b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -78,7 +78,7 @@ return [
             'security.backend.htmlSanitizeRte' => false,
             'security.backend.enforceReferrer' => true,
             'yamlImportsFollowDeclarationOrder' => false,
-            'subrequestPageErrors' => true,
+            'subrequestPageErrors' => false,
         ],
         'createGroup' => '',
         'sitename' => 'TYPO3',
diff --git a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
index 5886bf9281e2..f53c58d777f5 100644
--- a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
+++ b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
@@ -198,7 +198,7 @@ SYS:
             items:
               subrequestPageErrors:
                 type: bool
-                description: 'If on, error pages in the Frontend (such as 404 pages) will be requested internally via the TYPO3 Frontend instead of using an external HTTP request. Disable this feature if you have trouble with custom extensions overriding PHPs global variables.'
+                description: 'If on, error pages in the Frontend (such as 404 pages) will be requested internally via the TYPO3 Frontend instead of using an external HTTP request. It may be enabled on an experimental basis, as there are some cases where stateful information is not correctly reset for the subrequest. Disable this feature if you have trouble with stateful services or when some custom extensions overriding PHPs global variables.'
               redirects.hitCount:
                 type: bool
                 description: 'If on, and if extension "redirects" is loaded, each performed redirect is counted and last hit time is logged to the database.'
diff --git a/typo3/sysext/core/Documentation/Changelog/11.4/Feature-94402-GenerateErrorPagesViaTYPO3-internalSubRequest.rst b/typo3/sysext/core/Documentation/Changelog/11.4/Feature-94402-GenerateErrorPagesViaTYPO3-internalSubRequest.rst
index 3f9c54833b02..1221a72f34ec 100644
--- a/typo3/sysext/core/Documentation/Changelog/11.4/Feature-94402-GenerateErrorPagesViaTYPO3-internalSubRequest.rst
+++ b/typo3/sysext/core/Documentation/Changelog/11.4/Feature-94402-GenerateErrorPagesViaTYPO3-internalSubRequest.rst
@@ -9,14 +9,17 @@ See :issue:`94402`
 Description
 ===========
 
-Error pages (such as 404 - not found, or 403 - access denied) are now generated
+Error pages (such as 404 - not found, or 403 - access denied) may now be generated
 via a TYPO3-internal sub-request instead of an external HTTP
 request (cURL over Guzzle).
 
-The internal generation of the error pages is enabled by default, but can
-be disabled via a feature flag called `subrequestPageErrors` in the "Settings"
+This feature is disabled by default, as there are some cases where stateful information
+is not correctly reset for the subrequest.  It may be enabled on an experimental
+basis via a feature flag called `subrequestPageErrors` in the "Settings"
 module.
 
+This change will default to enabled in a future version once all stateful services
+are identified and removed.
 
 Impact
 ======
@@ -25,9 +28,11 @@ Generating error pages internally reduces the server load drastically, and
 solves various issues when dealing with load-balanced systems where the hostname
 of the server might not match the public-facing server ("front server").
 
-However, in some rare cases there might be problems with third-party extensions
+However, in some cases there might be problems with third-party extensions
 that override super globals (e.g. :php:`$_GET` and :php:`$_POST`), where the option could be
-disabled.
+disabled.  There are also some remaining cases in core of stateful services that,
+in some configurations, result in incorrect error pages being generated. For that
+reason the feature defaults to disabled for now.
 
 This feature is only relevant for site configurations loading error pages
 from a different Page ID.
-- 
GitLab