Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Updated: Comment #3
Problem/Motivation
In drupal 7 it used to be possible to just touch settings.php and run the installer.
Since people have habits and they have relied on them in the past, they will try d8 with their habits before reading and following the install readme.
Proposed resolution
Lets make this reasonable habit work.
steps to reproduce
- remove sites directory
- drop database
- create an empty settings.php, for example:
touch settings.php;
(do NOT copy default settings file) - install using the UI installer
without this fix:
the page source during the install gets to:
$databases['default']['default'] = array (
'database' => 'd8',
'username' => 'root',
'password' => 'root',
'host' => 'localhost',
'port' => '',
'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
'driver' => 'mysql',
'prefix' => '',
);
$drupal_hash_salt = 'L0Q3rV7O67pT3c9DA63z5TYReVP7D81BU-igrkbIhpg';
$settings['install_profile'] = 'standard';
$config_directories['active']['path'] = 'config_E01oONi5L8jJLLxa-1n_jqVcgxVTCqdNLwH65-lnMFc/active';
$config_directories['staging']['path'] = 'config_E01oONi5L8jJLLxa-1n_jqVcgxVTCqdNLwH65-lnMFc/staging';
<!DOCTYPE html>
<html lang="" dir="ltr" class="install-background">
<head>
<title>Database configuration | Drupal</title>
<meta charset="utf-8" />
<link rel="shortcut icon"
also gives warnings like
Warning: Cannot modify header information - headers already sent by (output started at /foo/sites/default/settings.php:15) in drupal_send_headers() (line 1152 of core/includes/bootstrap.inc).
With the patch:
works normally.
Remaining tasks
- (done) add test
- review
User interface changes
No.
API changes
No.
Related Issues
Comment | File | Size | Author |
---|---|---|---|
#20 | 2122693.20.patch | 793 bytes | alexpott |
#15 | 2122693.14.test-only.patch | 2.67 KB | sun |
#14 | 2122693.14.patch | 3.3 KB | jayeshanandani |
#12 | 2122693.12.patch | 2.05 KB | jayeshanandani |
#12 | interdiff.txt | 2.06 KB | jayeshanandani |
Comments
Comment #1
alexpottComment #2
YesCT CreditAttribution: YesCT commentedafter a few steps in the installer, (and scrolling over to the right a long long way) see:
Comment #3
YesCT CreditAttribution: YesCT commentedphp storm notified me that variable_get() is deprecated but seems we might need to use it here.
this fixes some comments.
Comment #3.0
YesCT CreditAttribution: YesCT commentedtemplate and add steps and example of the settings in the page source.
Comment #3.1
YesCT CreditAttribution: YesCT commentedUpdated issue summary.
Comment #4
tedbowManually tested
1. Installed Drupal without: touch sites/default/settings.php - Worked greate
2 Installed Drupal with: touch sites/default/settings.php - Had same error as #2
3. Applied patch from #3
4. Installed Drupal with: touch sites/default/settings.php - Worked great
Note to re-install drupal 8:
1. dropped database
2. rm -rf sites
3. git checkout sites
Next step code review
Comment #5
BMDan CreditAttribution: BMDan commented@alexpott, @YesCT, and others put in yeoman's work to track down this bug at the code sprint at BADCamp after I triggered it by means of my lazy install practices. Since that time, I've spent quite a few hours in the air disconnected from d.o, so I created a parallel patch that takes a slightly different approach. While I was at it, I also made REQUIREMENT_WARNING clearly identify what it means by "try again", since it bothered me that its semantics were painfully unclear.
Comment #7
alexpottThis looks like it might cause issues for hosting companies providing their own settings.php file. I'm inclined to think that the solution in #3 looks like a nice way of preventing the regression.
Comment #7.0
alexpottadded the text of the warning, so it is google-able
Comment #8
BMDan CreditAttribution: BMDan commentedAs I see it, there are three different cases here:
I happen to believe that #3 deserves special consideration. But it's not a big deal.
Regardless, I think file_md5() is a better option than file_get_contents if we can swing it. file_md5() doesn't hit us with the memory usage problems of file_get_contents. Admittedly, this should be a rare problem, but if it's this trivial to avoid triggering it, we should at least try.
Comment #9
sunComment #10
sun#3 is the proper approach from my perspective — there's no reason to throw a requirements warning/error, if the file happens to be empty, but can be rewritten.
However, two remarks:
trim($content) === ''
, so as to account for white-space (when people useecho > settings.php
instead oftouch settings.php
, and also use strict comparison to ensure that it's really an empty string.Comment #11
jayeshanandani CreditAttribution: jayeshanandani commentedComment #12
jayeshanandani CreditAttribution: jayeshanandani commentedUpdated the #3 patch with modifications as per the comments.
Attaching interdiff for more review.
Comment #13
sunThanks! :-)
The last remaining step is to write a test for this bug. We weren't able to add tests for such bugs in the past, which explains the poor test coverage of the installer, but since very recently, we're able to write automated tests for the interactive installer. :)
Doing so is simple:
core/modules/system/lib/Drupal/system/Tests/Installer/InstallerEmptySettingsTest.php
class InstallerEmptySettingsTest extends InstallerTestBase
function setUp()
totouch($this->siteDirectory . '/settings.php');
and callparent::setUp()
afterwards.InstallerTranslationTest
for an example.Comment #14
jayeshanandani CreditAttribution: jayeshanandani commentedAdded the missing tests.
Comment #15
sunNow let's confirm that both tests actually catch the bug. :)
Comment #17
sunAlrighty :-) Both tests failed as expected.
The test failures of the new
InstallerEmptySettingsTest
are quite monumental, but I don't see how we could error out earlier.Comment #18
webchickWell, we definitely need to fix this, cos without that we have an information disclosure vulnerability. It feels a little jankalicious to be making up PHP in a string like this, but I don't immediately have grander suggestions. So...
Committed and pushed to 8.x. Thanks!
Comment #20
alexpottThis is currently break head :( due to #2219009: Improve DX of Settings class
Comment #21
pwolanin CreditAttribution: pwolanin commentedThat class already has
use Drupal\Component\Utility\Settings;
so this looks good.Comment #22
catchCommitted/pushed to 8.x, thanks!
Comment #24
catchReverting title.