Commit 45097b78 authored by Dries's avatar Dries
Browse files

- Patch #52910 by kbahey, keith.smith, Susurrus, et al: restict access to cron.php.

parent 2e2c2bca
...@@ -2,6 +2,8 @@ ...@@ -2,6 +2,8 @@
Drupal 7.0, xxxx-xx-xx (development version) Drupal 7.0, xxxx-xx-xx (development version)
---------------------- ----------------------
- Security:
* Protected cron.php -- cron will only run if the proper key is provided.
- Usability: - Usability:
* Implemented drag-and-drop positioning for input format listings. * Implemented drag-and-drop positioning for input format listings.
* Provide descriptions for permissions on the administration page. * Provide descriptions for permissions on the administration page.
......
...@@ -207,20 +207,30 @@ INSTALLATION ...@@ -207,20 +207,30 @@ INSTALLATION
maintenance task, including search module (to build and update the index maintenance task, including search module (to build and update the index
used for keyword searching), aggregator module (to retrieve feeds from other used for keyword searching), aggregator module (to retrieve feeds from other
sites), and system module (to perform routine maintenance and pruning on sites), and system module (to perform routine maintenance and pruning on
system tables). system tables). To activate these tasks, visit the page "cron.php", which
To activate these tasks, call the cron page by visiting executes maintenance tasks on behalf of installed modules. The URL of the
http://www.example.com/cron.php, which, in turn, executes tasks on behalf cron.php page requires a "cron key" to protect against unauthorized access.
of installed modules. Each cron key is automatically generated during installation and is specific
to your site. The full URL of the page, with cron key, is available in the
"Cron maintenance tasks" section of the "Status report page" at:
Most systems support the crontab utility for scheduling tasks like this. The Administer > Reports > Status report
following example crontab line will activate the cron tasks automatically on
the hour:
0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php Most systems support using a crontab utility for automatically executing
tasks like visiting the cron.php page. The following example crontab line
uses wget to automatically visit the cron.php page each hour, on the hour:
0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php?cron_key=RANDOMTEXT
Replace the text "http://www.example.com/cron.php?cron_key=RANDOMTEXT" in the
example with the full URL displayed under "Cron maintenance tasks" on the
"Status report" page.
More information about cron maintenance tasks are available in the help pages More information about cron maintenance tasks are available in the help pages
and in Drupal's online handbook at http://drupal.org/cron. Example scripts can and in Drupal's online handbook at http://drupal.org/cron. Example cron scripts
be found in the scripts/ directory. can be found in the scripts/ directory. (Note that these scripts must be
customized similar to the above example, to add your site-specific cron key
and domain name.)
DRUPAL ADMINISTRATION DRUPAL ADMINISTRATION
--------------------- ---------------------
......
...@@ -8,4 +8,6 @@ ...@@ -8,4 +8,6 @@
include_once './includes/bootstrap.inc'; include_once './includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL); drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
drupal_cron_run(); if (isset($_GET['cron_key']) && variable_get('cron_key', 'drupal') == $_GET['cron_key']) {
drupal_cron_run();
}
\ No newline at end of file
...@@ -170,11 +170,14 @@ function system_requirements($phase) { ...@@ -170,11 +170,14 @@ function system_requirements($phase) {
} }
} }
$description .= ' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron')));
$description .= '<br />'. $t('To run cron from outside the site, go to <a href="!cron">!cron</a>', array('!cron' => url('cron.php', array('absolute' => true, 'query' => 'cron_key='. variable_get('cron_key', 'drupal')))));
$requirements['cron'] = array( $requirements['cron'] = array(
'title' => $t('Cron maintenance tasks'), 'title' => $t('Cron maintenance tasks'),
'severity' => $severity, 'severity' => $severity,
'value' => $summary, 'value' => $summary,
'description' => $description .' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron'))), 'description' => $description
); );
} }
...@@ -404,6 +407,10 @@ function system_install() { ...@@ -404,6 +407,10 @@ function system_install() {
db_query("INSERT INTO {variable} (name, value) VALUES ('%s','%s')", 'filter_html_1', 'i:1;'); db_query("INSERT INTO {variable} (name, value) VALUES ('%s','%s')", 'filter_html_1', 'i:1;');
db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'node_options_forum', 'a:1:{i:0;s:6:"status";}'); db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'node_options_forum', 'a:1:{i:0;s:6:"status";}');
$cron_key = md5(time());
db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'cron_key', serialize($cron_key));
} }
/** /**
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment