Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
I'd like to be able to modify every form throughout the install process usign the Form API inside install profiles.
Currently, it is not possible to modify any form other than 'install_configure'.
I believe that install profiles should allow developers to specify database connetion information in an install profile without hacking core (just disallow storing the database password for security purposes)
I'm willing to take on this project, so long as it's something the community would like to have available in Drupal 7.
Comment | File | Size | Author |
---|---|---|---|
#38 | installer_update_9.patch | 837 bytes | cweagans |
#37 | installer_update_8.patch | 1.42 KB | cweagans |
#27 | installer_update_7.patch | 1.26 KB | dman |
#25 | installer_update_6.patch | 1.28 KB | cweagans |
#20 | installer_update_5.patch | 1.29 KB | cweagans |
Comments
Comment #1
cweagansWoo patch.
Comment #2
cweagansForgot to set to needs review.
Comment #3
dman CreditAttribution: dman commentedThankyou.
I did the same (or similar) (1 line core hack) because I was asked to streamline a kitset site-maker.
I'm aware that many normal features are not available at that stage of the pre-install ... but it's still FAPI!
... although I don't see how preventing the password being pre-set is a vulnerability. If it were an issue, then the DB password actually working on the db-server would be the problem.
Are you just trying to dissuade folk from using it that way?
Me - for my other admin users - I actually convert the password field to plaintext so we can compare it with the one in our internal documentation before proceeding. It makes rapid development prototype sites a matter of clickthrough rather that reconfigure-each-time.
There are issues, but for internal throw-away testing ...
.dan.
Comment #4
cweagansMy reason for not wanting the profile to be able to set the password is that it could provide a way for somebody to get user/1 on the site.
For example:
I set up a subdomain that pointed to my Drupal installation on my server. While the DNS info was propagating, I added the folder to my sites directory.
If someone else is able to get to the installer before I am because of DNS latency, and the password is prefilled because of my installation profile, that person is going to be able to run the installer and will be logged in as user/1 when it finishes.
You think it should be allowed?
BTW, in your example, why not just copy/paste the password from your documentation?
Comment #5
dman CreditAttribution: dman commentedSounds like an edge case - but is a valid concern
... if you've already pre-filled that password yourself earlier. Why not just not do that, instead of adding it then later blanking it?
If the subsite folder has a db connection string pre-set, yes, you'll see that preset again, but if your new subsite folder was a clean template settings.php then it won't..
When I deploy new site folders, the settings.php is a copy of default.settings.php - as usual.
Then my install profile fills it in via FAPI (based on custom arcane tweaks of my own)
Which I guess leaves it open to the same exploit you avoid ... but by choice on our dev intranet.
But I have the choice. My use-case is training, rapid prototyping, and getting non-admins to run through simple site setups quick.
And for me to tear-down and remake install profiles a lot while developing those install profiles.
Copy & Paste is possible, but is between 5 and 20 point & clicks more than just going "Next"
If the UI is doing its job and usable, then after the first run through, documentation should be redundant and forgotten about.
If you feel the need to zero out the password - do it in your (now supported) form_alter. That's what it is there for!
Forcing it out like that line in this patch does would actually change current core behaviour (which right now allows easy rebuilds of sites after you drop the database). I think this is by design.
I support the form_alter enhancements, but not breaking existing functionality.
Comment #7
cweagansdman, if the database information is already in settings.php, it will be filled in as normal (that line basically duplicates the default core functionality).
Comment #8
cweagansbump.
Can anyone add their opinion to this issue? How should the password field be handled?
Comment #9
ChrisBryant CreditAttribution: ChrisBryant commentedSubscribing...
Comment #10
chx CreditAttribution: chx commentedthat password stuff makes no sense, if the profile wants to prefill the db password then it takes away the password field and uses #type value. get rid of it. the profile form_alter in itself is a good idea.
Comment #11
cweagansAlright, patch has been updated with the suggestions of chx and dman.
Comment #12
dman CreditAttribution: dman commented++ Cool and tidy.
Comment #13
moshe weitzman CreditAttribution: moshe weitzman commentedCan't a URL hacker call any function on your site that that ends with _form_alter()? Granted that most files are not included yet but still.
Comment #14
chx CreditAttribution: chx commentedMoshe is right we need to validate the profile.
Comment #15
chx CreditAttribution: chx commentedWe need to validate that $_GET['profile'] is a valid profile.
Comment #16
cweagansNot to be argumentative, but I wouldn't think that this is an issue that needs addressed in this patch. The code to allow altering the form through hook_form_alter() is taken from the other place in the installer that allows it (install_configure) -- verbatim. Why would this particular form need extra validation, and why would that code go in this patch?
Comment #17
cweagansAttached new patch with profile verification.
Also, as per chx's request, I'm noting that the verification in install_main needs a backport to Drupal 6 due to the existing form_alter in the installer.
Comment #18
cweagansRemoved the is_dir check -- redundant and unneeded.
Also, semi-related issue: #346494: DB drivers need to be able to change the configure database form during install
Comment #19
cweagansOne more patch, as per chx's advice.
Comment #20
cweagansSigh...one more. Somehow the is_dir check made it back in on that last one.
Comment #21
chx CreditAttribution: chx commentedThat's good and eventually we want to backport the check IMO.
Comment #22
cweagansAs soon as this is in, I'll backport it.
Comment #23
Dave ReidCoding style plz!
Two inserted lines with spaces
An extra unnecessary space at the end.
Comment #24
sunWrong string concatenation.
Trailing white-space; blank lines should be blank.
I'm not bold on this one, but we might want to consider to also state that drupal_function_exists() doesn't work at install time.
Please remove that trialing blank line.
Comment #25
cweagansFixed string concatenation.
Fixed trailing white space
Form alter code is taken from elsewhere in the installer (lines 1119-1126) -- from my perspective (as a new core contributor), my first reaction when looking at that particular code was that there is probably a reason that it's not using drupal_function_exists() -- seems like kind of a given.
Trailing blank line removed.
New patch attached.
Comment #26
sunWe try to avoid abbreviations in comments, but anyway, good to go.
Comment #27
dman CreditAttribution: dman commentedNope
I don't know what DRUPAL_ROOT is doing here - it's not defined anywhere at all, and makes my install totally fail. (submitting the first page profile selector just refreshes it, as it thinks I've chosen a non-existent profile)
is fine instead.
Comment #28
cweagansThanks for the fix!
Setting to needs review to have your patch tested.
Comment #30
cweagansHrm....the patch applies locally for me. Let's try that again.
Comment #31
dman CreditAttribution: dman commentedit needed fuzz. I think testbot doesn't like that.
Comment #32
cweagansSo it just needs a reroll against HEAD?
Comment #33
adrian CreditAttribution: adrian commentedI feel that this patch slightly conflicts with my goals for #509404: Fix some conceptual problems with install profiles and make them actually usable
specifically regarding this :
#525594: Installation should consist of 2 phases instead of one
the database details form should not be editable. but once i get to the above patch the rest of the install process will run in a full bootstrap, so modules and install profiles will be able to create their own wizard forms and modify any of the existing forms.
Comment #34
sunI disagree with the database form not being alterable by install profiles, because we have an existing use-case: http://drupal.org/project/demo_profile wants to restore the db_prefix that has been dumped along with some other information.
Comment #35
adrian CreditAttribution: adrian commentedif you select the install profile before that form, you can set the global db_prefix and just make the form default/override to the global if found.
This serves both our purposes and also works with #524728: Refactor install.php to allow Drupal to be installed from the command line, where you can create the settings.php before you run the install from the command line.
if you make that form alterable, it means that even if you can develop a mechanism to automate every other install profile, you will still end up needing to write demo_profile specific code.
Comment #36
Gábor HojtsyI'd keep the preg_replace() in the profile validation or otherwise null byte poisoning attacks are possible on the profile name. Since it is only used install time, it might not be that critical, but anyway, just whitelisting for the allowed chars still makes sense IMHO. http://www.google.com/search?q=null+byte+poisoning+php
Comment #37
cweagansKeeping up with HEAD.
Comment #38
cweagansAlso, it appears that the profile validation part of this patch has been added by #524728: Refactor install.php to allow Drupal to be installed from the command line.
Attached patch is just the form alter addition.
Comment #39
cweagansTagging
Comment #40
cweagansBecause of my discussion with adrian on IRC, I'm going to mark this as a Won't Fix.
Please direct efforts to adrian's installer work (split installer into two phases, etc).
Comment #41
Dave ReidBTW, the database settings absolutely need to be alterable so we can remove the unnecessary username and password fields when SQLite is used, or change the database name maxlength for PostgreSQL and SQLite. I hope adrian's work will not completely block #346494: DB drivers need to be able to change the configure database form during install.