The suhosin variant of PHP has additional protections that prevent potentially malicious data in the $_GET and $_POST. You can blacklist array keys that contain certain characters using the following setting: suhosin.request.array_index_blacklist => '"+<>;(). The default value breaks the module install form where the package contains brackets. This is true for experimental modules in core and for commerce packages.
Remove package names from the form keys because they are causing the problem.
None
Not really an API change but the module submit form is changed to not have package names in the keys.
None
If a Drupal site is located in an environment where setting a PHP version is possible and a different than default PHP version is selected, modules with brackets in group names will be disabled whenever any module is enabled or disabled through the module page UI.
Here is my report in detail. →
I have a provider with three PHP versions: 5.3 (default), 5.5 and 5.6; I have a Commerce installation with modules in Commerce (contrib). If I choose a PHP version of 5.5 or 5.6 and then change the status of any module, the modules in Commerce (contrib) will be disabled. If I choose 5.3 or rename the group to Commerce Contrib, the module page will work as expected.
As Drush always uses the default PHP version, it is not affected by this problem.
Versions affected: 7.x; 8.x not tested yet, but assumed to come with the same issue.
Fixed
8.3 ⚰️
extension system
After being applied to the 8.x branch, it should be considered for backport to the 7.x branch. Note: This tag should generally remain even after the backport has been written, approved, and committed.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.