- Issue created by @BramDriesen
- π§πͺBelgium BramDriesen Belgium π§πͺ
Clarification of the title to better explain what the issue is
- First commit to issue fork.
- Merge request !5280Issue #3399685: Remove Core version from install.php β (Closed) created by poker10
- Status changed to Needs work
over 1 year ago 7:19pm 7 November 2023 - πΈπ°Slovakia poker10
Created a MR with possible approach (inspired by
_drupal_maintenance_theme()). This probably needs a test though. - π§πͺBelgium BramDriesen Belgium π§πͺ
Nice! Looks very clean π I guess we can borrow some inspiration as well from the maintenance tests (if they exist).
- Status changed to Needs review
over 1 year ago 2:28pm 8 November 2023 - πΈπ°Slovakia poker10
Thanks. Applied the suggestion and added a simple check if the version info is present on existing install.
Tests are green and here is the test-only job failing: https://git.drupalcode.org/project/drupal/-/jobs/295166
There was 1 error: 1) Drupal\FunctionalTests\Installer\InstallerExistingInstallationTest::testInstaller Behat\Mink\Exception\ResponseTextException: The text "11.0-dev" appears in the text of this page, but it should not. - Status changed to RTBC
over 1 year ago 2:35pm 8 November 2023 - π§πͺBelgium BramDriesen Belgium π§πͺ
Looks good to me! Not sure if we need anything else. Adding a few tags to get this approved. Not sure if we need a frontend framework review.
- πΈπ°Slovakia poker10
I think this is a minor change and I doubt that anybody is using this script to check the Drupal version on installed site (beside the potential attackers). So I think that this does not need product manager or framework manager reviews. We can consider a CR, but again, this is a very minor change, which should affect the installer page only when the site is already installed and in that time there is no reason to access
install.phpanymore. - πΊπΈUnited States greggles Denver, Colorado, USA
+1 to the RTBC. This is a straightforward change that improves security without impacting the useful information provided on a fresh install.
Thanks for the proposal and work on a fix!
Uploading a screenshot for anyone else curious how this affects the page when a site is already installed. "Before" state is on the left, after is on the right.
- π¬π§United Kingdom longwave UK
A small but helpful security improvement. Backported to 10.1.x as a security hardening there as well.
Committed and pushed 4c95ce55a8 to 11.x and e54a7cec2a to 10.2.x and 5e86af6e28 to 10.1.x. Thanks!
-
longwave β
committed 5e86af6e on 10.1.x
Issue #3399685 by poker10, greggles, BramDriesen: Remove Core version...
-
longwave β
committed 5e86af6e on 10.1.x
-
longwave β
committed e54a7cec on 10.2.x
Issue #3399685 by poker10, greggles, BramDriesen: Remove Core version...
-
longwave β
committed e54a7cec on 10.2.x
- Status changed to Fixed
over 1 year ago 11:46am 11 November 2023 -
longwave β
committed 4c95ce55 on 11.x
Issue #3399685 by poker10, greggles, BramDriesen: Remove Core version...
-
longwave β
committed 4c95ce55 on 11.x
- π§πͺBelgium BramDriesen Belgium π§πͺ
Fixed a typo, a few readability issues and added a short release note snippet.
Automatically closed - issue fixed for 2 weeks with no activity.
