A site I'm currently managing has Drupal 7.17 on it. I'm noticing the following files in the root of the website:
install.php
CHANGELOG.txt
INSTALL.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
LICENSE.txt
MAINTAINERS.txt
UPGRADE.txt
Researching this, tells me that as of Drupal 7.16, they fixed a security issue that would allow arbitrary code to run in install.php that would allow the re-installation of Drupal that someone could run. But basically, I am wondering if any of these files (if left in the server root) could cause problems in Drupal 7.17? Do I have to remove these files for security reasons? Or is this no longer a security risk whatsoever in Drupal 7.17?
I understand that we shouldn't remove the upgrade.php file, but just curious on the rest of these files.
Thanks, and this is probably a dumb question, but just felt the need to ask anyways. Usually I remove these files when I install software on websites, but not sure how Drupal uses and/or misuses these files.
Based on the document “Finalize the upgrade” (which applies to both upgrades and installations) from the Drupal handbook:
The last step in an upgrade is to delete or move the following files from your site:
install.php
CHANGELOG.txt
INSTALL.txt
INSTALL.mysql.txt
INSTALL.pgsql.txt
INSTALL.sqlite.txt
LICENSE.txt
MAINTAINERS.txt
UPGRADE.txt
Just to make that clear: the only PHP file to delete is "install.php" (i.e. be sure to leave "upgrade.php" and all other PHP files). And when you delete the TXT files, be sure to keep "robots.txt" since it is used by search engines.