diff -u b/core/includes/bootstrap.inc b/core/includes/bootstrap.inc
--- b/core/includes/bootstrap.inc
+++ b/core/includes/bootstrap.inc
@@ -533,13 +533,6 @@
   // sites/default/default.settings.php contains more runtime settings.
   // The .htaccess file contains settings that cannot be changed at runtime.
 
-  // Deny execution with enabled "magic quotes" (both GPC and runtime).
-  if (get_magic_quotes_gpc() || get_magic_quotes_runtime()) {
-    header($_SERVER['SERVER_PROTOCOL'] . ' 500 Internal Server Error');
-    print "PHP's 'magic_quotes_gpc' and 'magic_quotes_runtime' settings are not supported and must be disabled.";
-    exit;
-  }
-
   // Use session cookies, not transparent sessions that puts the session id in
   // the query string.
   ini_set('session.use_cookies', '1');
only in patch2:
unchanged:
--- a/.htaccess
+++ b/.htaccess
@@ -25,9 +25,6 @@ DirectoryIndex index.php index.html index.htm
 
 # PHP 5, Apache 1 and 2.
 <IfModule mod_php5.c>
-  php_flag magic_quotes_gpc                 off
-  php_flag magic_quotes_sybase              off
-  php_flag register_globals                 off
   php_flag session.auto_start               off
   php_value mbstring.http_input             pass
   php_value mbstring.http_output            pass
only in patch2:
unchanged:
--- a/core/includes/file.inc
+++ b/core/includes/file.inc
@@ -605,7 +605,7 @@ function file_valid_uri($uri) {
  *   will rename the file until the $destination is unique.
  * - Provides a fallback using realpaths if the move fails using stream
  *   wrappers. This can occur because PHP's copy() function does not properly
- *   support streams if safe_mode or open_basedir are enabled. See
+ *   support streams if open_basedir is enabled. See
  *   https://bugs.php.net/bug.php?id=60456
  *
  * @param $source
@@ -1026,8 +1026,8 @@ function file_unmanaged_delete_recursive($path, $callback = NULL) {
 /**
  * Moves an uploaded file to a new location.
  *
- * PHP's move_uploaded_file() does not properly support streams if safe_mode
- * or open_basedir are enabled, so this function fills that gap.
+ * PHP's move_uploaded_file() does not properly support streams if open_basedir
+ * is enabled, so this function fills that gap.
  *
  * Compatibility: normal paths and stream wrappers.
  *
@@ -1045,9 +1045,9 @@ function file_unmanaged_delete_recursive($path, $callback = NULL) {
  */
 function drupal_move_uploaded_file($filename, $uri) {
   $result = @move_uploaded_file($filename, $uri);
-  // PHP's move_uploaded_file() does not properly support streams if safe_mode
-  // or open_basedir are enabled so if the move failed, try finding a real path
-  // and retry the move operation.
+  // PHP's move_uploaded_file() does not properly support streams if
+  // open_basedir is enabled so if the move failed, try finding a real path and
+  // retry the move operation.
   if (!$result) {
     if ($realpath = drupal_realpath($uri)) {
       $result = move_uploaded_file($filename, $realpath);
only in patch2:
unchanged:
--- a/core/includes/install.inc
+++ b/core/includes/install.inc
@@ -846,8 +846,6 @@ function drupal_install_fix_file($file, $mask, $message = TRUE) {
   }
 
   // chmod() will work if the web server is running as owner of the file.
-  // If PHP safe_mode is enabled the currently executing script must also
-  // have the same owner.
   if (@chmod($file, $mod)) {
     return TRUE;
   }
only in patch2:
unchanged:
--- a/core/lib/Drupal/Core/Mail/PhpMail.php
+++ b/core/lib/Drupal/Core/Mail/PhpMail.php
@@ -47,8 +47,7 @@ public function format(array $message) {
   public function mail(array $message) {
     // If 'Return-Path' isn't already set in php.ini, we pass it separately
     // as an additional parameter instead of in the header.
-    // However, if PHP's 'safe_mode' is on, this is not allowed.
-    if (isset($message['headers']['Return-Path']) && !ini_get('safe_mode')) {
+    if (isset($message['headers']['Return-Path'])) {
       $return_path_set = strpos(ini_get('sendmail_path'), ' -f');
       if (!$return_path_set) {
         $message['Return-Path'] = $message['headers']['Return-Path'];
@@ -77,29 +76,17 @@ public function mail(array $message) {
     // hosts. The return value of this method will still indicate whether mail
     // was sent successfully.
     if (!$request->server->has('WINDIR') && strpos($request->server->get('SERVER_SOFTWARE'), 'Win32') === FALSE) {
-      if (isset($message['Return-Path']) && !ini_get('safe_mode')) {
-        // On most non-Windows systems, the "-f" option to the sendmail command
-        // is used to set the Return-Path. There is no space between -f and
-        // the value of the return path.
-        $mail_result = @mail(
-          $message['to'],
-          $mail_subject,
-          $mail_body,
-          $mail_headers,
-          '-f' . $message['Return-Path']
-        );
-      }
-      else {
-        // The optional $additional_parameters argument to mail() is not
-        // allowed if safe_mode is enabled. Passing any value throws a PHP
-        // warning and makes mail() return FALSE.
-        $mail_result = @mail(
-          $message['to'],
-          $mail_subject,
-          $mail_body,
-          $mail_headers
-        );
-      }
+      // On most non-Windows systems, the "-f" option to the sendmail command
+      // is used to set the Return-Path. There is no space between -f and
+      // the value of the return path.
+      $additional_headers = isset($message['Return-Path']) ? '-f' . $message['Return-Path'] : '';
+      $mail_result = @mail(
+        $message['to'],
+        $mail_subject,
+        $mail_body,
+        $mail_headers,
+        $additional_headers
+      );
     }
     else {
       // On Windows, PHP will use the value of sendmail_from for the
only in patch2:
unchanged:
--- a/core/modules/system/system.install
+++ b/core/modules/system/system.install
@@ -74,25 +74,6 @@ function system_requirements($phase) {
     return $requirements;
   }
 
-  // Test PHP register_globals setting.
-  $requirements['php_register_globals'] = array(
-    'title' => t('PHP register globals'),
-  );
-  $register_globals = trim(ini_get('register_globals'));
-  // Unfortunately, ini_get() may return many different values, and we can't
-  // be certain which values mean 'on', so we instead check for 'not off'
-  // since we never want to tell the user that their site is secure
-  // (register_globals off), when it is in fact on. We can only guarantee
-  // register_globals is off if the value returned is 'off', '', or 0.
-  if (!empty($register_globals) && strtolower($register_globals) != 'off') {
-    $requirements['php_register_globals']['description'] = t('<em>register_globals</em> is enabled. Drupal requires this configuration directive to be disabled. Your site may not be secure when <em>register_globals</em> is enabled. The PHP manual has instructions for <a href="@url">how to change configuration settings</a>.', array('@url' => 'http://php.net/configuration.changes'));
-    $requirements['php_register_globals']['severity'] = REQUIREMENT_ERROR;
-    $requirements['php_register_globals']['value'] = t("Enabled ('@value')", array('@value' => $register_globals));
-  }
-  else {
-    $requirements['php_register_globals']['value'] = t('Disabled');
-  }
-
   // Test for PHP extensions.
   $requirements['php_extensions'] = array(
     'title' => t('PHP extensions'),