diff options
| author | David Rothstein <drothstein@gmail.com> | 2013-12-30 18:37:43 -0500 |
|---|---|---|
| committer | David Rothstein <drothstein@gmail.com> | 2013-12-30 18:37:43 -0500 |
| commit | cb7127c514aee7e66659da3f20348db4c013a40c (patch) | |
| tree | 77cd04ac5b9f442fab8d108c4d723a1a8be12f31 /includes/install.core.inc | |
| parent | aa6235c3c3fd08123d9d1d9eecb07a3e9b72b69f (diff) | |
| download | brdo-cb7127c514aee7e66659da3f20348db4c013a40c.tar.gz brdo-cb7127c514aee7e66659da3f20348db4c013a40c.tar.bz2 | |
Issue #1760330 by s.Daniel, David_Rothstein, jfhovinne: Hide vulnerable drupal install.php sites from search engines.
Diffstat (limited to 'includes/install.core.inc')
| -rw-r--r-- | includes/install.core.inc | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/includes/install.core.inc b/includes/install.core.inc index 83f18735a..38ad72485 100644 --- a/includes/install.core.inc +++ b/includes/install.core.inc @@ -692,6 +692,21 @@ function install_full_redirect_url($install_state) { */ function install_display_output($output, $install_state) { drupal_page_header(); + + // Prevent install.php from being indexed when installed in a sub folder. + // robots.txt rules are not read if the site is within domain.com/subfolder + // resulting in /subfolder/install.php being found through search engines. + // When settings.php is writeable this can be used via an external database + // leading a malicious user to gain php access to the server. + $noindex_meta_tag = array( + '#tag' => 'meta', + '#attributes' => array( + 'name' => 'robots', + 'content' => 'noindex, nofollow', + ), + ); + drupal_add_html_head($noindex_meta_tag, 'install_meta_robots'); + // Only show the task list if there is an active task; otherwise, the page // request has ended before tasks have even been started, so there is nothing // meaningful to show. |