Problem/Motivation
The suhosin variant of PHP has additional protections that prevent potentially malicious data in the $_GET and $_POST. You can blacklist array keys that contain certain characters using the following setting: suhosin.request.array_index_blacklist => '"+<>;(). The default value breaks the module install form where the package contains brackets. This is true for experimental modules in core and for commerce packages.
Proposed resolution
Remove package names from the form keys because they are causing the problem.
Remaining tasks
User interface changes
None
API changes
Not really an API change but the module submit form is changed to not have package names in the keys.
Data model changes
None
Original issue summary
If a Drupal site is located in an environment where setting a PHP version is possible and a different than default PHP version is selected, modules with brackets in group names will be disabled whenever any module is enabled or disabled through the module page UI.
Example:
I have a provider with three PHP versions: 5.3 (default), 5.5 and 5.6; I have a Commerce installation with modules in Commerce (contrib). If I choose a PHP version of 5.5 or 5.6 and then change the status of any module, the modules in Commerce (contrib) will be disabled. If I choose 5.3 or rename the group to Commerce Contrib, the module page will work as expected.
As Drush always uses the default PHP version, it is not affected by this problem.
Versions affected: 7.x; 8.x not tested yet, but assumed to come with the same issue.