Making public from s.d.o.
D6-D8
The issue is that when an anonymous user visits install.php, install_verify_settings() will trigger a call to db_run_tasks() which does a bunch of things on the database server.
From Damien's comment there:
It's a problem if the database install tasks are potentially heavy. This is true for PostgreSQL and SQL Server: during the installation tasks we create and/or update stored procedures / types / etc.
Even if the process is relatively light (on MySQL, we do a CREATE TABLE / DROP TABLE and a couple of test queries), it's really not nice to allow anyone having access to install.php to do this. There is no good reason to.
Comments
Comment #1
dstolMay be a dupe of #1816124: Fix installer PHP code execution issues from SA-CORE-2012-003 (and backport anything to 7.x-dev as necessary)
Comment #2
tstoecklerI usually restrict access to install.php via the command line, and I would assume that is common practice. So to encourage that practice, we could easily add a REQUIREMENT_WARNING to the status report.Thoughts?
Comment #3
greggles@tstoeckler - what do you mean by "via the command line" ? Seems like a potentially interesting technique.
Comment #4
tstoecklerNothing fancy, I just simply meant
chmod 000 install.php
.Comment #13
catchMarking duplicate of #1816124: Fix installer PHP code execution issues from SA-CORE-2012-003 (and backport anything to 7.x-dev as necessary).