Index: install.php
===================================================================
RCS file: /cvs/drupal/drupal/install.php,v
retrieving revision 1.235
diff -u -p -r1.235 install.php
--- install.php	14 Jan 2010 18:45:17 -0000	1.235
+++ install.php	18 Jan 2010 16:59:48 -0000
@@ -1528,39 +1528,22 @@ function install_check_requirements($ins
     $writable = FALSE;
     $conf_path = './' . conf_path(FALSE, TRUE);
     $settings_file = $conf_path . '/settings.php';
-    $file = $conf_path;
-    $exists = FALSE;
-    // Verify that the directory exists.
-    if (drupal_verify_install_file($conf_path, FILE_EXIST, 'dir')) {
-      // Check to make sure a settings.php already exists.
-      $file = $settings_file;
-      if (drupal_verify_install_file($settings_file, FILE_EXIST)) {
-        $exists = TRUE;
-        // If it does, make sure it is writable.
-        $writable = drupal_verify_install_file($settings_file, FILE_READABLE|FILE_WRITABLE);
-        $exists = TRUE;
-      }
-    }
-
-    if (!$exists) {
-      $requirements['settings file exists'] = array(
-        'title'       => st('Settings file'),
-        'value'       => st('The settings file does not exist.'),
-        'severity'    => REQUIREMENT_ERROR,
-        'description' => st('The @drupal installer requires that you create a settings file as part of the installation process. Copy the %default_file file to %file. More details about installing Drupal are available in <a href="@install_txt">INSTALL.txt</a>.', array('@drupal' => drupal_install_profile_distribution_name(), '%file' => $file, '%default_file' => $conf_path . '/default.settings.php', '@install_txt' => base_path() . 'INSTALL.txt')),
-      );
+    $default_settings_file = $conf_path . '/default.settings.php';
+    // Check if $conf_path is world-writable
+    $conf_path_worldwritable = FALSE;
+    $conf_path_perms = substr(sprintf('%o', fileperms($conf_path)), -4);
+    if ($conf_path_perms == '0777') {
+      $conf_path_worldwritable = TRUE;
     }
-    else {
-      $requirements['settings file exists'] = array(
-        'title'       => st('Settings file'),
-        'value'       => st('The %file file exists.', array('%file' => $file)),
-      );
+    // Check if a settings.php file already exists and is writable.
+    if (drupal_verify_install_file($settings_file, FILE_EXIST)) {
+      $writable = drupal_verify_install_file($settings_file, FILE_READABLE|FILE_WRITABLE);
       if (!$writable) {
         $requirements['settings file writable'] = array(
           'title'       => st('Settings file'),
           'value'       => st('The settings file is not writable.'),
           'severity'    => REQUIREMENT_ERROR,
-          'description' => st('The @drupal installer requires write permissions to %file during the installation process. If you are unsure how to grant file permissions, consult the <a href="@handbook_url">online handbook</a>.', array('@drupal' => drupal_install_profile_distribution_name(), '%file' => $file, '@handbook_url' => 'http://drupal.org/server-permissions')),
+          'description' => st('The @drupal installer requires write permissions to %conf_path during the installation process. If you are unsure how to grant file permissions, consult the <a href="@handbook_url">online handbook</a>.', array('@drupal' => drupal_install_profile_distribution_name(), '%conf_path' => $conf_path, '@handbook_url' => 'http://drupal.org/server-permissions')),
         );
       }
       else {
@@ -1570,6 +1553,51 @@ function install_check_requirements($ins
         );
       }
     }
+    // If a settings.php file does not already exist, try to copy the default
+    // settings file to create one. This way we determine if sites/default 
+    // is writable by the webserver, which is inherently bad security.
+    else {
+      // $conf_path is not world-writable, so we now really know that http-user
+      // and ftp/ssh-user are the same. Typical shared-hosting situation.
+      if (!$conf_path_worldwritable) {
+        if (@copy($default_settings_file, $settings_file)) {
+          // If the host allows the http-user to write to sites/default add
+          // a warning to the status report (ToDo) but keep http-user-owned
+          // settings.php. 
+          $requirements['settings file'] = array(
+            'title'       => st('settings file'),
+            'value'       => st('Less secure server'),
+            'severity'    => REQUIREMENT_WARNING,
+            'description' => st('The server you have installed @drupal on is not very secure because it allows write access to the @drupal configuration directory by the your web server software. This is common on shared hosting however. More details about doing this are available in <a href="@install_txt">INSTALL.txt</a> or the <a href="@handbook_url">online handbook</a>.', array('@drupal' => drupal_install_profile_distribution_name(), '@install_txt' => base_path() . 'INSTALL.txt', '@handbook_url' => 'http://drupal.org/server-permissions')),
+          );
+        }
+        // If the host does not allow the http-user to write to sites/default,
+        // display a warning and give these options to the user:
+        // 1) Manually create settings.php
+        // 2) Let Drupal try to create settings.php with authorize UI and a
+        //    FileTransfer object (ToDo).
+        else {
+          $requirements['settings file exists'] = array(
+            'title'       => st('Settings file'),
+            'value'       => st('The settings file does not exist.'),
+            'severity'    => REQUIREMENT_ERROR,
+            'description' => st('@drupal could not automatically create the file %settings_file which is needed for installation. You should now do one of these two things: <ul><li>Manually copy the file %default_file to the file %settings_file. More details about doing this are available in <a href="@install_txt">INSTALL.txt</a> or the <a href="@handbook_url">online handbook</a>.<br />OR</li><li>Let @drupal do secure file creation for you. For that you will have to enter the username and password of your user account on this server. <br /><a href="#">Click here to do this</a>.</li></ul>', array('@drupal' => drupal_install_profile_distribution_name(), '%default_file' => $conf_path . '/default.settings.php', '%settings_file' => $conf_path . '/settings.php', '@install_txt' => base_path() . 'INSTALL.txt', '@handbook_url' => 'http://drupal.org/server-permissions')),
+          );
+        }
+      }
+      // User has chmodded sites/default to 0777 before installing Drupal.
+      // Let's just proceed assuming he knows what he's doing...
+      // Or maybe issue a warning?
+      else {
+        unset($settings_file);
+        $requirements['settings file exists'] = array(
+          'title'       => st('Settings file'),
+          'value'       => st('The settings file does not exist.'),
+          'severity'    => REQUIREMENT_ERROR,
+          'description' => st('@drupal could not automatically create the file %settings_file which is needed for installation. You should now do one of these two things: <ul><li>Manually copy the file %default_file to the file %settings_file. More details about doing this are available in <a href="@install_txt">INSTALL.txt</a> or the <a href="@handbook_url">online handbook</a>.<br />OR</li><li>Let @drupal do secure file creation for you. For that you will have to enter the username and password of your user account on this server. <br /><a href="#">Click here to do this</a>.</li></ul>', array('@drupal' => drupal_install_profile_distribution_name(), '%default_file' => $conf_path . '/default.settings.php', '%settings_file' => $conf_path . '/settings.php', '@install_txt' => base_path() . 'INSTALL.txt', '@handbook_url' => 'http://drupal.org/server-permissions')),
+        );
+      }
+    }
   }
   return $requirements;
 }