From 5e86af6e280acf3b51ba1430d2c55f96f3caafcc Mon Sep 17 00:00:00 2001
From: Dave Long <dave@longwaveconsulting.com>
Date: Sat, 11 Nov 2023 11:44:36 +0000
Subject: [PATCH] Issue #3399685 by poker10, greggles, BramDriesen: Remove Core
 version from install.php when the site already is installed - Information
 Disclosure - Leaking version information

(cherry picked from commit 4c95ce55a86546af5d8dd1c296dd73757c732916)
---
 core/includes/theme.inc                                   | 8 +++++++-
 .../Installer/InstallerExistingInstallationTest.php       | 3 +++
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/core/includes/theme.inc b/core/includes/theme.inc
index 7d8bc8a3ed46..222f05a21c9b 100644
--- a/core/includes/theme.inc
+++ b/core/includes/theme.inc
@@ -26,6 +26,7 @@
 use Drupal\Core\Render\Element;
 use Drupal\Core\Render\Markup;
 use Drupal\Core\Utility\TableSort;
+use Drupal\Core\Installer\InstallerKernel;
 
 /**
  * @defgroup content_flags Content markers
@@ -1505,13 +1506,18 @@ function template_preprocess_maintenance_page(&$variables) {
  * @see template_preprocess_maintenance_page()
  */
 function template_preprocess_install_page(&$variables) {
+  $installer_active_task = NULL;
+  if (defined('MAINTENANCE_MODE') && MAINTENANCE_MODE === 'install' && InstallerKernel::installationAttempted()) {
+    $installer_active_task = $GLOBALS['install_state']['active_task'];
+  }
+
   template_preprocess_maintenance_page($variables);
 
   // Override the site name that is displayed on the page, since Drupal is
   // still in the process of being installed.
   $distribution_name = drupal_install_profile_distribution_name();
   $variables['site_name'] = $distribution_name;
-  $variables['site_version'] = drupal_install_profile_distribution_version();
+  $variables['site_version'] = $installer_active_task ? drupal_install_profile_distribution_version() : '';
 }
 
 /**
diff --git a/core/tests/Drupal/FunctionalTests/Installer/InstallerExistingInstallationTest.php b/core/tests/Drupal/FunctionalTests/Installer/InstallerExistingInstallationTest.php
index 8906a2fa4da0..8090b99bae89 100644
--- a/core/tests/Drupal/FunctionalTests/Installer/InstallerExistingInstallationTest.php
+++ b/core/tests/Drupal/FunctionalTests/Installer/InstallerExistingInstallationTest.php
@@ -22,6 +22,9 @@ public function testInstaller() {
     $this->visitInstaller();
     $this->assertSession()->pageTextContains('Drupal already installed');
 
+    // Verify that Drupal version is not displayed.
+    $this->assertSession()->pageTextNotContains(\Drupal::VERSION);
+
     // Delete settings.php and attempt to reinstall again.
     unlink($this->siteDirectory . '/settings.php');
     $this->visitInstaller();
-- 
GitLab