Install subdirectory not disabled and publicly reachable

[gllmhyt]

Upgraded from 0.3.5 to 0.4.1, upgrade went well, but the /admin/install path seems not to be disabled.

For security reasons, this installation wizard is now disabled.

I can still access it. Configuration is NGinx and PHP-FPM.

[fabianwolf]

The install tool autolock feature was removed in release 0.4.0
You'll have to protect access to install tool by using webserver config, if you need it disabled.
But we should modify that message after install, cause it doesn't tell the truth anymore ;)

[gllmhyt]

Does it mean that anybody can access the install tool and mess with the SQLite file path?

[untitaker]

That seems pretty problematic as the SQLite file path is arbitrary PHP code that is executed.

[untitaker]

Deleting html/admin/install/index.php seems to do the trick. Perhaps this could be done as part of the upgrading process?

[evert]

This is indeed bad news. I was under the impression that the installation will not run, if baikal is already fully configured/installed.

[evert]

I'm now disabling the installer altogether if baikal was configured. Sorry I missed this :/

[gllmhyt]

Upgrading now: thank you for the quick fix!

Edit: Upgrade done, it's working well. Thank you again.