security update core+modules
This commit is contained in:
Bachir Soussi Chiadmi
@@ -692,6 +692,21 @@ function install_full_redirect_url($install_state) {
|
||||
*/
|
||||
function install_display_output($output, $install_state) {
|
||||
drupal_page_header();
|
||||
|
||||
// Prevent install.php from being indexed when installed in a sub folder.
|
||||
// robots.txt rules are not read if the site is within domain.com/subfolder
|
||||
// resulting in /subfolder/install.php being found through search engines.
|
||||
// When settings.php is writeable this can be used via an external database
|
||||
// leading a malicious user to gain php access to the server.
|
||||
$noindex_meta_tag = array(
|
||||
'#tag' => 'meta',
|
||||
'#attributes' => array(
|
||||
'name' => 'robots',
|
||||
'content' => 'noindex, nofollow',
|
||||
),
|
||||
);
|
||||
drupal_add_html_head($noindex_meta_tag, 'install_meta_robots');
|
||||
|
||||
// Only show the task list if there is an active task; otherwise, the page
|
||||
// request has ended before tasks have even been started, so there is nothing
|
||||
// meaningful to show.
|
||||
@@ -766,6 +781,15 @@ function install_system_module(&$install_state) {
|
||||
// Install system.module.
|
||||
drupal_install_system();
|
||||
|
||||
// Call file_ensure_htaccess() to ensure that all of Drupal's standard
|
||||
// directories (e.g., the public and private files directories) have
|
||||
// appropriate .htaccess files. These directories will have already been
|
||||
// created by this point in the installer, since Drupal creates them during
|
||||
// the install_verify_requirements() task. Note that we cannot call
|
||||
// file_ensure_htaccess() any earlier than this, since it relies on
|
||||
// system.module in order to work.
|
||||
file_ensure_htaccess();
|
||||
|
||||
// Enable the user module so that sessions can be recorded during the
|
||||
// upcoming bootstrap step.
|
||||
module_enable(array('user'), FALSE);
|
||||
@@ -981,7 +1005,7 @@ function install_settings_form_submit($form, &$form_state) {
|
||||
'required' => TRUE,
|
||||
);
|
||||
$settings['drupal_hash_salt'] = array(
|
||||
'value' => drupal_hash_base64(drupal_random_bytes(55)),
|
||||
'value' => drupal_random_key(),
|
||||
'required' => TRUE,
|
||||
);
|
||||
drupal_rewrite_settings($settings);
|
||||
@@ -1041,7 +1065,21 @@ function install_select_profile(&$install_state) {
|
||||
}
|
||||
|
||||
/**
|
||||
* Selects an installation profile from a list or from a $_POST submission.
|
||||
* Selects an installation profile.
|
||||
*
|
||||
* A profile will be selected if:
|
||||
* - Only one profile is available,
|
||||
* - A profile was submitted through $_POST,
|
||||
* - Exactly one of the profiles is marked as "exclusive".
|
||||
* If multiple profiles are marked as "exclusive" then no profile will be
|
||||
* selected.
|
||||
*
|
||||
* @param array $profiles
|
||||
* An associative array of profiles with the machine-readable names as keys.
|
||||
*
|
||||
* @return
|
||||
* The machine-readable name of the selected profile or NULL if no profile was
|
||||
* selected.
|
||||
*/
|
||||
function _install_select_profile($profiles) {
|
||||
if (sizeof($profiles) == 0) {
|
||||
@@ -1061,6 +1099,23 @@ function _install_select_profile($profiles) {
|
||||
}
|
||||
}
|
||||
}
|
||||
// Check for a profile marked as "exclusive" and ensure that only one
|
||||
// profile is marked as such.
|
||||
$exclusive_profile = NULL;
|
||||
foreach ($profiles as $profile) {
|
||||
$profile_info = install_profile_info($profile->name);
|
||||
if (!empty($profile_info['exclusive'])) {
|
||||
if (empty($exclusive_profile)) {
|
||||
$exclusive_profile = $profile->name;
|
||||
}
|
||||
else {
|
||||
// We found a second "exclusive" profile. There's no way to choose
|
||||
// between them, so we ignore the property.
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
return $exclusive_profile;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user