summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDries Buytaert2008-03-17 16:53:58 (GMT)
committerDries Buytaert2008-03-17 16:53:58 (GMT)
commit45097b78b7ff86e2d5ecd53d9926204d52c87955 (patch)
tree57fdb6b07f08dfce2bd220ff4452b729704043dd
parent2e2c2bcac0ee76a081242ab8124c102fd4bda72b (diff)
- Patch #52910 by kbahey, keith.smith, Susurrus, et al: restict access to cron.php.
-rw-r--r--CHANGELOG.txt2
-rw-r--r--INSTALL.txt30
-rw-r--r--cron.php4
-rw-r--r--modules/system/system.install9
4 files changed, 33 insertions, 12 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt
index 7b44c75..102892f 100644
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@@ -2,6 +2,8 @@
Drupal 7.0, xxxx-xx-xx (development version)
----------------------
+- Security:
+ * Protected cron.php -- cron will only run if the proper key is provided.
- Usability:
* Implemented drag-and-drop positioning for input format listings.
* Provide descriptions for permissions on the administration page.
diff --git a/INSTALL.txt b/INSTALL.txt
index a15786c..93a627c 100644
--- a/INSTALL.txt
+++ b/INSTALL.txt
@@ -207,20 +207,30 @@ INSTALLATION
maintenance task, including search module (to build and update the index
used for keyword searching), aggregator module (to retrieve feeds from other
sites), and system module (to perform routine maintenance and pruning on
- system tables).
- To activate these tasks, call the cron page by visiting
- http://www.example.com/cron.php, which, in turn, executes tasks on behalf
- of installed modules.
+ system tables). To activate these tasks, visit the page "cron.php", which
+ executes maintenance tasks on behalf of installed modules. The URL of the
+ cron.php page requires a "cron key" to protect against unauthorized access.
+ Each cron key is automatically generated during installation and is specific
+ to your site. The full URL of the page, with cron key, is available in the
+ "Cron maintenance tasks" section of the "Status report page" at:
- Most systems support the crontab utility for scheduling tasks like this. The
- following example crontab line will activate the cron tasks automatically on
- the hour:
+ Administer > Reports > Status report
- 0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php
+ Most systems support using a crontab utility for automatically executing
+ tasks like visiting the cron.php page. The following example crontab line
+ uses wget to automatically visit the cron.php page each hour, on the hour:
+
+ 0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php?cron_key=RANDOMTEXT
+
+ Replace the text "http://www.example.com/cron.php?cron_key=RANDOMTEXT" in the
+ example with the full URL displayed under "Cron maintenance tasks" on the
+ "Status report" page.
More information about cron maintenance tasks are available in the help pages
- and in Drupal's online handbook at http://drupal.org/cron. Example scripts can
- be found in the scripts/ directory.
+ and in Drupal's online handbook at http://drupal.org/cron. Example cron scripts
+ can be found in the scripts/ directory. (Note that these scripts must be
+ customized similar to the above example, to add your site-specific cron key
+ and domain name.)
DRUPAL ADMINISTRATION
---------------------
diff --git a/cron.php b/cron.php
index f242ee7..e40dc2d 100644
--- a/cron.php
+++ b/cron.php
@@ -8,4 +8,6 @@
include_once './includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
-drupal_cron_run();
+if (isset($_GET['cron_key']) && variable_get('cron_key', 'drupal') == $_GET['cron_key']) {
+ drupal_cron_run();
+} \ No newline at end of file
diff --git a/modules/system/system.install b/modules/system/system.install
index 8e0cb94..c1854b2 100644
--- a/modules/system/system.install
+++ b/modules/system/system.install
@@ -170,11 +170,14 @@ function system_requirements($phase) {
}
}
+ $description .= ' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron')));
+ $description .= '<br />'. $t('To run cron from outside the site, go to <a href="!cron">!cron</a>', array('!cron' => url('cron.php', array('absolute' => true, 'query' => 'cron_key='. variable_get('cron_key', 'drupal')))));
+
$requirements['cron'] = array(
'title' => $t('Cron maintenance tasks'),
'severity' => $severity,
'value' => $summary,
- 'description' => $description .' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron'))),
+ 'description' => $description
);
}
@@ -404,6 +407,10 @@ function system_install() {
db_query("INSERT INTO {variable} (name, value) VALUES ('%s','%s')", 'filter_html_1', 'i:1;');
db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'node_options_forum', 'a:1:{i:0;s:6:"status";}');
+
+ $cron_key = md5(time());
+
+ db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'cron_key', serialize($cron_key));
}
/**