Problem/Motivation
It was recommended with SA-CORE-2012-003 that the install.php could be deleted.
see Notes section on https://heine.familiedeelstra.com/drupal-7-installer-vulnerability
From the codebase it seems the bug is still present in Drupal 7.
https://git.drupalcode.org/project/drupal/-/blob/7.x/includes/bootstrap....
And it seems D9 is also redirecting without checking if the file exists.
https://git.drupalcode.org/project/drupal/-/blob/9.4.x/core/lib/Drupal/C...
Original Report
I've read everything starting from http://groups.drupal.org/node/121064 ( How to documentation for creating Drupal 7 multisite configuration ) about multi-site installation and I have two Drupal 6 installations working perfectly with multi-site but for the life of me I can't get a working version using Drupal 7.
The installation steps I followed were basically the same as for Drupal 6.
Whenever I attempt to navigate to a parked domain the browser eventually displays "This web page has a redirect loop" Error 310 (net:: ERR_TOO_MANY_REDIRECTS) There were too many redirects.
Please could someone tell me what I need to do to fix it?
Do I need to do some work with symlinks? They weren't needed in my Drupal 6 installations.
Steps to reproduce
For Drupal 7
1. Installed Drupal via Installatron
2. Configure a multisite install
3. Run Setup to create the multisite install
Proposed resolution
Delete core/install.php
Comments
Comment #1
herb_miller CreditAttribution: herb_miller commentedI have found the culprit.
I installed the site using Softaculous. I was unaware that my hosting company had changed the installation from the default; install.php was not part of the installed software.
Had I thought about navigating to install.php in my home site I would have seen a 404 error.
So I copied install.php and everything started working.
Of course I didn't do this until after I'd manually created a completely new working multi-site installation using two other domains then compared the installations file by file, using BeyondCompare.... at which point the problem was blindingly obvious.
Perhaps there is some scope for improvement - the redirect should not be performed if install.php is not present.
Comment #2
limelightinternet CreditAttribution: limelightinternet commentedThank you. This post just saved me hours of frustration.
Comment #3
miguel CreditAttribution: miguel commentedThis bug is marked as fixed but the problem remains on the latest Drupal. I reopen it.
Comment #4
star-szr@miguel - can you please post detailed steps on how to reproduce this behaviour? Contributor doc on posting steps to reproduce:
http://drupal.org/node/1468198
It's not clear to me whether this happens when you are trying to install another site in a multisite install or whether it occurs after site installation.
Downgrading status per http://drupal.org/node/45111, I don't think this is a major bug.
Comment #5
miguel CreditAttribution: miguel commentedTo reproduce
1. Installed Drupal via Installatron
2. Configure a multisite install
3. Run Setup to create the multisite install
Now the described error occours because the Installatron-Script removes install.php.
What I would expect
At least a message that install.php does not exist on the server.
To fix
Copy install.php to the server.
Status justification
I changed the status to major because this makes a multisite installation impossible. I guess most people will give up when having this error.
Comment #6
star-szrInstallatron? http://installatron.com?
Sounds like Installatron not removing install.php would fix this issue :)
Comment #7
star-szrJust re-read the issue, I guess Installatron and Softaculous both do this so maybe it's worth considering.
To account for this behaviour in Drupal, we'd need to do something like check file_exists() before trying to redirect to install.php in _drupal_bootstrap_configuration(). If the file doesn't exist, display a message to the user instead of redirecting.
Pseudo code:
Comment #8
miguel CreditAttribution: miguel commentedAs far I know it is a common use to remove install.php [1]. So all these people are also affected.
[1] http://drupal.org/upgrade/finished
Comment #12
PasqualleIt was recommended with SA-CORE-2012-003 that the install.php could be deleted.
see Notes section on https://heine.familiedeelstra.com/drupal-7-installer-vulnerability
So yes, Drupal should work correctly without the install.php file.
Comment #20
quietone CreditAttribution: quietone at PreviousNext commented#12 suggests that this is no longer a problem.
Can anyone reproduce this problem?
Since we need to confirm the problem still exists before continuing, I am setting the status to Postponed (maintainer needs more info). If we don't receive additional information to help with the issue, it may be closed after three months.
Thanks!
Comment #21
PasqualleI should have wrote it better, I wanted to say that the bug should be fixed, as it was recommended to delete the install.php file.
From the codebase it seems the bug is still present in Drupal 7.
https://git.drupalcode.org/project/drupal/-/blob/7.x/includes/bootstrap....
And it seems D9 is also redirecting without checking if the file exists.
https://git.drupalcode.org/project/drupal/-/blob/9.4.x/core/lib/Drupal/C...
But as I am unaware of any recommendation to delete core/install.php in D9, it could be a feature request for D10.
Comment #24
quietone CreditAttribution: quietone at PreviousNext commentedI have updated the Issue Summary and meta data based on the last two comments from @Pasqualle