Index: INSTALL.txt
===================================================================
RCS file: /Users/Shared/code/drupal/INSTALL.txt,v
retrieving revision 1.69
diff -u -p -r1.69 INSTALL.txt
--- INSTALL.txt	24 Jun 2008 17:04:38 -0000	1.69
+++ INSTALL.txt	3 Jul 2008 00:03:08 -0000
@@ -73,13 +73,27 @@ INSTALLATION
    http://drupal.org/project/translations and download the package. Extract
    the contents to the same directory where you extracted Drupal into.
 
-2. GRANT WRITE PERMISSIONS ON CONFIGURATION FILE
+2. CREATE THE CONFIGURATION FILE AND GRANT WRITE PERMISSIONS
 
    Drupal comes with a default.settings.php file in the sites/default
-   directory. The installer will create a copy of this file filled with
-   the details you provide through the install process, in the same
-   directory. Give the web server write privileges to the sites/default
-   directory with the command (from the installation directory):
+   directory. The installer uses this file as a template to create your
+   settings file using the details you provide through the install process.
+   To avoid problems when upgrading, Drupal is not packaged with an actual
+   settings file. You must create a file named settings.php. You may do so
+   by making a copy of default.settings.php (or create an empty file with
+   this name in the same directory). For example, (from the installation
+   directory) make a copy of the default.settings.php file with the command:
+
+     cp sites/default/default.settings.php sites/default/settings.php
+
+   Next, give the web server write privileges to the sites/default/settings.php
+   file with the command (from the installation directory):
+
+     chmod o+w sites/default/settings.php
+
+  So that the files directory can be created automatically, give the web server
+  write privileges to the sites/default directory with the command (from the
+  installation directory):
 
      chmod o+w sites/default
 
@@ -116,11 +130,17 @@ INSTALLATION
      mkdir sites/default/files
      chmod o+w sites/default/files
 
-   The install script will attempt to write-protect the sites/default
-   directory after creating the settings.php file. If you make manual
-   changes to that file later, be sure to protect it again after making
-   your modifications. Failure to remove write permissions to that file
-   is a security risk. Although the default location for the settings.php
+   The install script will attempt to write-protect the settings.php file and
+   the sites/default directory after saving your configuration. However, you
+   may need to manually write-protect them using the commands (from the
+   installation directory):
+
+     chmod a-w sites/default/settings.php
+     chmod a-w sites/default
+
+   If you make manual changes to the file later, be sure to protect it again
+   after making your modifications. Failure to remove write permissions to that
+   file is a security risk. Although the default location for the settings.php
    file is at sites/default/settings.php, it may be in another location
    if you use the multi-site setup, as explained below.
 
Index: install.php
===================================================================
RCS file: /Users/Shared/code/drupal/install.php,v
retrieving revision 1.122
diff -u -p -r1.122 install.php
--- install.php	3 Jul 2008 17:57:03 -0000	1.122
+++ install.php	4 Jul 2008 16:36:23 -0000
@@ -109,6 +109,13 @@ function install_main() {
 
   // Tasks come after the database is set up
   if (!$task) {
+    global $db_url;
+
+    if (!$verify && !empty($db_url)) {
+      // Do not install over a configured settings.php.
+      install_already_done_error();
+    }
+
     // Check the installation requirements for Drupal and this profile.
     install_check_requirements($profile, $verify);
 
@@ -200,14 +207,6 @@ function install_change_settings($profil
   include_once './includes/form.inc';
   install_task_list('database');
 
-  if ($db_url == 'mysql://username:password@localhost/databasename') {
-    $db_user = $db_pass = $db_path = '';
-  }
-  elseif (!empty($db_url)) {
-    // Do not install over a configured settings.php.
-    install_already_done_error();
-  }
-
   $output = drupal_get_form('install_settings_form', $profile, $install_locale, $settings_file, $db_url, $db_type, $db_prefix, $db_user, $db_pass, $db_host, $db_port, $db_path);
   drupal_set_title(st('Database configuration'));
   print theme('install_page', $output);
@@ -880,21 +879,22 @@ function install_check_requirements($pro
     $conf_path = './' . conf_path(FALSE, TRUE);
     $settings_file = $conf_path . '/settings.php';
     $file = $conf_path;
+    $exists = FALSE;
     // Verify that the directory exists.
     if (drupal_verify_install_file($conf_path, FILE_EXIST, 'dir')) {
-      // Check to see if a settings.php already exists.
+      // Check to make sure a settings.php already exists.
+      $file = $settings_file;
       if (drupal_verify_install_file($settings_file, FILE_EXIST)) {
+        $exists = TRUE;
         // If it does, make sure it is writable.
         $writable = drupal_verify_install_file($settings_file, FILE_READABLE|FILE_WRITABLE);
-        $file = $settings_file;
-      }
-      else {
-        // If not, make sure the directory is.
-        $writable = drupal_verify_install_file($conf_path, FILE_READABLE|FILE_WRITABLE, 'dir');
+        $exists = TRUE;
       }
     }
-
-    if (!$writable) {
+    if (!$exists) {
+      drupal_set_message(st('The @drupal installer requires that you create %file as part of the installation process, and then make it writable. If you are unsure how to grant file permissions, please consult the <a href="@handbook_url">on-line handbook</a>.', array('@drupal' => drupal_install_profile_name(), '%file' => $file, '@handbook_url' => 'http://drupal.org/server-permissions')), 'error');
+    }
+    elseif (!$writable) {
       drupal_set_message(st('The @drupal installer requires write permissions to %file during the installation process. If you are unsure how to grant file permissions, please consult the <a href="@handbook_url">online handbook</a>.', array('@drupal' => drupal_install_profile_name(), '%file' => $file, '@handbook_url' => 'http://drupal.org/server-permissions')), 'error');
     }
   }
Index: modules/simpletest/simpletest.test
===================================================================
RCS file: /Users/Shared/code/drupal/modules/simpletest/simpletest.test,v
retrieving revision 1.3
diff -u -p -r1.3 simpletest.test
--- modules/simpletest/simpletest.test	24 Jun 2008 21:51:02 -0000	1.3
+++ modules/simpletest/simpletest.test	3 Jul 2008 18:41:08 -0000
@@ -42,6 +42,12 @@ class SimpleTestTestCase extends DrupalW
     if (!$this->inCURL()) {
       $this->drupalGet('node');
       $this->assertTitle(variable_get('site_name', 'Drupal'), t('Site title matches.'));
+      // Make sure that we are locked out of the installer when prefixing
+      // using the user-agent header. This is an important security check.
+      global $base_url;
+
+      $this->drupalGet($base_url . '/install.php', array('external' => TRUE));
+      $this->assertResponse(403, 'Cannot access install.php with a "simpletest" user-agent header.');
     }
   }
 
Index: sites/default/default.settings.php
===================================================================
RCS file: /Users/Shared/code/drupal/sites/default/default.settings.php,v
retrieving revision 1.11
diff -u -p -r1.11 default.settings.php
--- sites/default/default.settings.php	1 Jul 2008 20:36:40 -0000	1.11
+++ sites/default/default.settings.php	2 Jul 2008 18:07:01 -0000
@@ -90,7 +90,7 @@
  *   $db_url = 'mysqli://username:password@localhost/databasename';
  *   $db_url = 'pgsql://username:password@localhost/databasename';
  */
-$db_url = 'mysql://username:password@localhost/databasename';
+$db_url = '';
 $db_prefix = '';
 
 /**