diff --git a/.htaccess b/.htaccess
index 07cf7e4..d12f9e9 100644
--- a/.htaccess
+++ b/.htaccess
@@ -139,14 +139,14 @@ AddEncoding gzip svgz
   # Allow access to PHP files in /core (like authorize.php or install.php):
   RewriteCond %{REQUEST_URI} !/core/[^/]*\.php$
   # Allow access to test-specific PHP files:
-  RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php$
+  RewriteCond %{REQUEST_URI} !/core/modules/system/tests/https?.php
   # Allow access to Statistics module's custom front controller.
   # Copy and adapt this rule to directly execute PHP files in contributed or
   # custom modules or to run another PHP application in the same directory.
   RewriteCond %{REQUEST_URI} !/core/modules/statistics/statistics.php$
   # Deny access to any other PHP files that do not match the rules above.
   # Specifically, disallow autoload.php from being served directly.
-  RewriteRule "^(.+/.*|autoload)\.php$" - [F]
+  RewriteRule "^(.+/.*|autoload)\.php" - [F]
 
   # Rules to correctly serve gzip compressed CSS and JS files.
   # Requires both mod_rewrite and mod_headers to be enabled.
diff --git a/core/modules/system/src/Tests/System/HtaccessTest.php b/core/modules/system/src/Tests/System/HtaccessTest.php
index 8a44715..b6dfafe 100644
--- a/core/modules/system/src/Tests/System/HtaccessTest.php
+++ b/core/modules/system/src/Tests/System/HtaccessTest.php
@@ -15,6 +15,14 @@
  * @group system
  */
 class HtaccessTest extends WebTestBase {
+
+  /**
+   * Modules to enable.
+   *
+   * @var array
+   */
+  public static $modules = array('node', 'path');
+
   /**
    * Get an array of file paths for access testing.
    *
@@ -29,6 +37,7 @@ protected function getProtectedFiles() {
       'install',
       'make',
       'module',
+      'php.save',
       'profile',
       'po',
       'sh',
@@ -47,6 +56,11 @@ protected function getProtectedFiles() {
     // Try and access a non PHP file in the vendor directory.
     $file_paths[] = 'core/vendor/composer/installed.json';
 
+    // Test some non-test provided files.
+    $file_paths[] = 'core/lib/Drupal.php';
+    $file_paths[] = 'core/vendor/autoload.php';
+    $file_paths[] = 'autoload.php';
+
     return $file_paths;
   }
 
@@ -57,6 +71,31 @@ public function testFileAccess() {
     foreach ($this->getProtectedFiles() as $file) {
       $this->assertNoFileAccess($file);
     }
+
+    // Test that adding "/1" to a .php URL does not make it accessible.
+    $this->drupalGet('core/lib/Drupal.php/1');
+    $this->assertResponse(403, "Access to core/lib/Drupal.php/1 is denied.");
+
+    // Test that is it possible to have path aliases containing in .php.
+    $type = $this->drupalCreateContentType();
+
+    // Create an node aliased to test.php.
+    $node = $this->drupalCreateNode([
+      'title' => 'This is a node',
+      'type' => $type->id(),
+      'path' => 'test.php'
+    ]);
+    $node->save();
+    $this->drupalGet('test.php');
+    $this->assertResponse(200);
+    $this->assertText('This is a node');
+
+    // Update node's alias to test.php/test.
+    $node->path = 'test.php/test';
+    $node->save();
+    $this->drupalGet('test.php/test');
+    $this->assertResponse(200);
+    $this->assertText('This is a node');
   }
 
   /**
@@ -66,9 +105,9 @@ public function testFileAccess() {
    *   Path to file. Without leading slash.
    */
   protected function assertNoFileAccess($path) {
-    $this->assertTrue(file_exists(\Drupal::root() . '/' . $path));
+    $this->assertTrue(file_exists(\Drupal::root() . '/' . $path), "The file $path exists.");
     $this->drupalGet($path);
-    $this->assertResponse(403);
+    $this->assertResponse(403, "Access to $path is denied.");
   }
 
   /**
diff --git a/core/modules/system/tests/fixtures/HtaccessTest/access_test.php.save b/core/modules/system/tests/fixtures/HtaccessTest/access_test.php.save
new file mode 100644
index 0000000..e69de29