core/install.php can reinstall Drupal on already installed site

Created on 4 February 2025, 5 days ago

Problem/Motivation

On one of websites core/install.php was not only accessible but offered to install on a already fully enabled website. Next it installed an install profile without asking for db credentials or anything else!

Steps to reproduce

After some digging around we found that state had an entry "install_task" which was not "done". We understand that installation via core/install.php can be resumed, but also that especially
on larger websites there are more methods of installing then via a browser and core/install.php. There were no problems during normal operation or even a mention of this on say the status page.

Proposed resolution

IMHO the Drupal status page should have at least noticed us about this.

Remaining tasks

User interface changes

Introduced terminology

API changes

Data model changes

Release notes snippet

πŸ› Bug report
Status

Active

Version

10.3 ✨

Component

install system

Created by

πŸ‡³πŸ‡±Netherlands jb044 Leeuwarden

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024