Commit d8aacc5d authored by Dries's avatar Dries

- Patch #225880 by pwolanin, webchick, keith.smith, et al: fixed non-writability of settings.php.

parent 18cd9c79
......@@ -73,13 +73,27 @@ INSTALLATION
http://drupal.org/project/translations and download the package. Extract
the contents to the same directory where you extracted Drupal into.
2. GRANT WRITE PERMISSIONS ON CONFIGURATION FILE
2. CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS
Drupal comes with a default.settings.php file in the sites/default
directory. The installer will create a copy of this file filled with
the details you provide through the install process, in the same
directory. Give the web server write privileges to the sites/default
directory with the command (from the installation directory):
directory. The installer uses this file as a template to create your
settings file using the details you provide through the install process.
To avoid problems when upgrading, Drupal is not packaged with an actual
settings file. You must create a file named settings.php. You may do so
by making a copy of default.settings.php (or create an empty file with
this name in the same directory). For example, (from the installation
directory) make a copy of the default.settings.php file with the command:
cp sites/default/default.settings.php sites/default/settings.php
Next, give the web server write privileges to the sites/default/settings.php
file with the command (from the installation directory):
chmod o+w sites/default/settings.php
So that the files directory can be created automatically, give the web server
write privileges to the sites/default directory with the command (from the
installation directory):
chmod o+w sites/default
......@@ -116,11 +130,17 @@ INSTALLATION
mkdir sites/default/files
chmod o+w sites/default/files
The install script will attempt to write-protect the sites/default
directory after creating the settings.php file. If you make manual
changes to that file later, be sure to protect it again after making
your modifications. Failure to remove write permissions to that file
is a security risk. Although the default location for the settings.php
The install script will attempt to write-protect the settings.php file and
the sites/default directory after saving your configuration. However, you
may need to manually write-protect them using the commands (from the
installation directory):
chmod a-w sites/default/settings.php
chmod a-w sites/default
If you make manual changes to the file later, be sure to protect it again
after making your modifications. Failure to remove write permissions to that
file is a security risk. Although the default location for the settings.php
file is at sites/default/settings.php, it may be in another location
if you use the multi-site setup, as explained below.
......
......@@ -109,6 +109,13 @@ function install_main() {
// Tasks come after the database is set up
if (!$task) {
global $db_url;
if (!$verify && !empty($db_url)) {
// Do not install over a configured settings.php.
install_already_done_error();
}
// Check the installation requirements for Drupal and this profile.
install_check_requirements($profile, $verify);
......@@ -200,14 +207,6 @@ function install_change_settings($profile = 'default', $install_locale = '') {
include_once './includes/form.inc';
install_task_list('database');
if ($db_url == 'mysql://username:password@localhost/databasename') {
$db_user = $db_pass = $db_path = '';
}
elseif (!empty($db_url)) {
// Do not install over a configured settings.php.
install_already_done_error();
}
$output = drupal_get_form('install_settings_form', $profile, $install_locale, $settings_file, $db_url, $db_type, $db_prefix, $db_user, $db_pass, $db_host, $db_port, $db_path);
drupal_set_title(st('Database configuration'));
print theme('install_page', $output);
......@@ -899,21 +898,27 @@ function install_check_requirements($profile, $verify) {
$conf_path = './' . conf_path(FALSE, TRUE);
$settings_file = $conf_path . '/settings.php';
$file = $conf_path;
$exists = FALSE;
// Verify that the directory exists.
if (drupal_verify_install_file($conf_path, FILE_EXIST, 'dir')) {
// Check to see if a settings.php already exists.
// Check to make sure a settings.php already exists.
$file = $settings_file;
if (drupal_verify_install_file($settings_file, FILE_EXIST)) {
$exists = TRUE;
// If it does, make sure it is writable.
$writable = drupal_verify_install_file($settings_file, FILE_READABLE|FILE_WRITABLE);
$file = $settings_file;
}
else {
// If not, make sure the directory is.
$writable = drupal_verify_install_file($conf_path, FILE_READABLE|FILE_WRITABLE, 'dir');
$exists = TRUE;
}
}
if (!$writable) {
if (!$exists) {
drupal_set_message(st('The @drupal installer requires that you create a settings file as part of the installation process.
<ol>
<li>Copy the %default_file file to %file.</li>
<li>Change file permissions so that it is writable by the web server. If you are unsure how to grant file permissions, please consult the <a href="@handbook_url">on-line handbook</a>.</li>
</ol>
More details about installing Drupal are available in INSTALL.txt.', array('@drupal' => drupal_install_profile_name(), '%file' => $file, '%default_file' => $conf_path .'/default.settings.php', '@handbook_url' => 'http://drupal.org/server-permissions')), 'error');
}
elseif (!$writable) {
drupal_set_message(st('The @drupal installer requires write permissions to %file during the installation process. If you are unsure how to grant file permissions, please consult the <a href="@handbook_url">online handbook</a>.', array('@drupal' => drupal_install_profile_name(), '%file' => $file, '@handbook_url' => 'http://drupal.org/server-permissions')), 'error');
}
}
......
......@@ -42,6 +42,12 @@ class SimpleTestTestCase extends DrupalWebTestCase {
if (!$this->inCURL()) {
$this->drupalGet('node');
$this->assertTitle(variable_get('site_name', 'Drupal'), t('Site title matches.'));
// Make sure that we are locked out of the installer when prefixing
// using the user-agent header. This is an important security check.
global $base_url;
$this->drupalGet($base_url . '/install.php', array('external' => TRUE));
$this->assertResponse(403, 'Cannot access install.php with a "simpletest" user-agent header.');
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment