From cb7127c514aee7e66659da3f20348db4c013a40c Mon Sep 17 00:00:00 2001
From: David Rothstein <drothstein@gmail.com>
Date: Mon, 30 Dec 2013 18:37:43 -0500
Subject: Issue #1760330 by s.Daniel, David_Rothstein, jfhovinne: Hide
 vulnerable drupal install.php sites from search engines.

---
 includes/install.core.inc | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'includes/install.core.inc')

diff --git a/includes/install.core.inc b/includes/install.core.inc
index 83f18735a..38ad72485 100644
--- a/includes/install.core.inc
+++ b/includes/install.core.inc
@@ -692,6 +692,21 @@ function install_full_redirect_url($install_state) {
  */
 function install_display_output($output, $install_state) {
   drupal_page_header();
+
+  // Prevent install.php from being indexed when installed in a sub folder.
+  // robots.txt rules are not read if the site is within domain.com/subfolder
+  // resulting in /subfolder/install.php being found through search engines.
+  // When settings.php is writeable this can be used via an external database
+  // leading a malicious user to gain php access to the server.
+  $noindex_meta_tag = array(
+    '#tag' => 'meta',
+    '#attributes' => array(
+      'name' => 'robots',
+      'content' => 'noindex, nofollow',
+    ),
+  );
+  drupal_add_html_head($noindex_meta_tag, 'install_meta_robots');
+
   // Only show the task list if there is an active task; otherwise, the page
   // request has ended before tasks have even been started, so there is nothing
   // meaningful to show.
-- 
cgit v1.2.3