- Patch #225880 by pwolanin, webchick, keith.smith, et al: fixed non-writability of settings.php.

3 files changed, 57 insertions, 26 deletions

diff --git a/INSTALL.txt b/INSTALL.txt
index ed91c08bf..1b4325e83 100644
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -73,13 +73,27 @@ INSTALLATION
    http://drupal.org/project/translations and download the package. Extract
    the contents to the same directory where you extracted Drupal into.
 
-2. GRANT WRITE PERMISSIONS ON CONFIGURATION FILE
+2. CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS
 
    Drupal comes with a default.settings.php file in the sites/default
-   directory. The installer will create a copy of this file filled with
-   the details you provide through the install process, in the same
-   directory. Give the web server write privileges to the sites/default
-   directory with the command (from the installation directory):
+   directory. The installer uses this file as a template to create your
+   settings file using the details you provide through the install process.
+   To avoid problems when upgrading, Drupal is not packaged with an actual
+   settings file. You must create a file named settings.php. You may do so
+   by making a copy of default.settings.php (or create an empty file with
+   this name in the same directory). For example, (from the installation
+   directory) make a copy of the default.settings.php file with the command:
+
+     cp sites/default/default.settings.php sites/default/settings.php
+
+   Next, give the web server write privileges to the sites/default/settings.php
+   file with the command (from the installation directory):
+
+     chmod o+w sites/default/settings.php
+
+  So that the files directory can be created automatically, give the web server
+  write privileges to the sites/default directory with the command (from the
+  installation directory):
 
      chmod o+w sites/default
 
@@ -116,11 +130,17 @@ INSTALLATION
      mkdir sites/default/files
      chmod o+w sites/default/files
 
-   The install script will attempt to write-protect the sites/default
-   directory after creating the settings.php file. If you make manual
-   changes to that file later, be sure to protect it again after making
-   your modifications. Failure to remove write permissions to that file
-   is a security risk. Although the default location for the settings.php
+   The install script will attempt to write-protect the settings.php file and
+   the sites/default directory after saving your configuration. However, you
+   may need to manually write-protect them using the commands (from the
+   installation directory):
+
+     chmod a-w sites/default/settings.php
+     chmod a-w sites/default
+
+   If you make manual changes to the file later, be sure to protect it again
+   after making your modifications. Failure to remove write permissions to that
+   file is a security risk. Although the default location for the settings.php
    file is at sites/default/settings.php, it may be in another location
    if you use the multi-site setup, as explained below.
 
diff --git a/install.php b/install.php
index e009632fd..15a00c1bf 100644
--- a/install.php
+++ b/install.php
@@ -109,6 +109,13 @@ function install_main() {
 
   // Tasks come after the database is set up
   if (!$task) {
+    global $db_url;
+
+    if (!$verify && !empty($db_url)) {
+      // Do not install over a configured settings.php.
+      install_already_done_error();
+    }
+
     // Check the installation requirements for Drupal and this profile.
     install_check_requirements($profile, $verify);
 
@@ -200,14 +207,6 @@ function install_change_settings($profile = 'default', $install_locale = '') {
   include_once './includes/form.inc';
   install_task_list('database');
 
-  if ($db_url == 'mysql://username:password@localhost/databasename') {
-    $db_user = $db_pass = $db_path = '';
-  }
-  elseif (!empty($db_url)) {
-    // Do not install over a configured settings.php.
-    install_already_done_error();
-  }
-
   $output = drupal_get_form('install_settings_form', $profile, $install_locale, $settings_file, $db_url, $db_type, $db_prefix, $db_user, $db_pass, $db_host, $db_port, $db_path);
   drupal_set_title(st('Database configuration'));
   print theme('install_page', $output);
@@ -899,21 +898,27 @@ function install_check_requirements($profile, $verify) {
     $conf_path = './' . conf_path(FALSE, TRUE);
     $settings_file = $conf_path . '/settings.php';
     $file = $conf_path;
+    $exists = FALSE;
     // Verify that the directory exists.
     if (drupal_verify_install_file($conf_path, FILE_EXIST, 'dir')) {
-      // Check to see if a settings.php already exists.
+      // Check to make sure a settings.php already exists.
+      $file = $settings_file;
       if (drupal_verify_install_file($settings_file, FILE_EXIST)) {
+        $exists = TRUE;
         // If it does, make sure it is writable.
         $writable = drupal_verify_install_file($settings_file, FILE_READABLE|FILE_WRITABLE);
-        $file = $settings_file;
-      }
-      else {
-        // If not, make sure the directory is.
-        $writable = drupal_verify_install_file($conf_path, FILE_READABLE|FILE_WRITABLE, 'dir');
+        $exists = TRUE;
       }
     }
-
-    if (!$writable) {
+    if (!$exists) {
+      drupal_set_message(st('The @drupal installer requires that you create a settings file as part of the installation process.
+<ol>
+<li>Copy the %default_file file to %file.</li>
+<li>Change file permissions so that it is writable by the web server. If you are unsure how to grant file permissions, please consult the <a href="@handbook_url">on-line handbook</a>.</li>
+</ol>
+More details about installing Drupal are available in INSTALL.txt.', array('@drupal' => drupal_install_profile_name(), '%file' => $file, '%default_file' => $conf_path .'/default.settings.php', '@handbook_url' => 'http://drupal.org/server-permissions')), 'error');
+    }
+    elseif (!$writable) {
       drupal_set_message(st('The @drupal installer requires write permissions to %file during the installation process. If you are unsure how to grant file permissions, please consult the <a href="@handbook_url">online handbook</a>.', array('@drupal' => drupal_install_profile_name(), '%file' => $file, '@handbook_url' => 'http://drupal.org/server-permissions')), 'error');
     }
   }
diff --git a/modules/simpletest/simpletest.test b/modules/simpletest/simpletest.test
index 2da05d6a3..f21b8d38b 100644
--- a/modules/simpletest/simpletest.test
+++ b/modules/simpletest/simpletest.test
@@ -42,6 +42,12 @@ class SimpleTestTestCase extends DrupalWebTestCase {
     if (!$this->inCURL()) {
       $this->drupalGet('node');
       $this->assertTitle(variable_get('site_name', 'Drupal'), t('Site title matches.'));
+      // Make sure that we are locked out of the installer when prefixing
+      // using the user-agent header. This is an important security check.
+      global $base_url;
+
+      $this->drupalGet($base_url . '/install.php', array('external' => TRUE));
+      $this->assertResponse(403, 'Cannot access install.php with a "simpletest" user-agent header.');
     }
   }