Commit 45097b78 authored by Dries's avatar Dries

- Patch #52910 by kbahey, keith.smith, Susurrus, et al: restict access to cron.php.

parent 2e2c2bca
......@@ -2,6 +2,8 @@
Drupal 7.0, xxxx-xx-xx (development version)
----------------------
- Security:
* Protected cron.php -- cron will only run if the proper key is provided.
- Usability:
* Implemented drag-and-drop positioning for input format listings.
* Provide descriptions for permissions on the administration page.
......
......@@ -207,20 +207,30 @@ INSTALLATION
maintenance task, including search module (to build and update the index
used for keyword searching), aggregator module (to retrieve feeds from other
sites), and system module (to perform routine maintenance and pruning on
system tables).
To activate these tasks, call the cron page by visiting
http://www.example.com/cron.php, which, in turn, executes tasks on behalf
of installed modules.
system tables). To activate these tasks, visit the page "cron.php", which
executes maintenance tasks on behalf of installed modules. The URL of the
cron.php page requires a "cron key" to protect against unauthorized access.
Each cron key is automatically generated during installation and is specific
to your site. The full URL of the page, with cron key, is available in the
"Cron maintenance tasks" section of the "Status report page" at:
Most systems support the crontab utility for scheduling tasks like this. The
following example crontab line will activate the cron tasks automatically on
the hour:
Administer > Reports > Status report
0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php
Most systems support using a crontab utility for automatically executing
tasks like visiting the cron.php page. The following example crontab line
uses wget to automatically visit the cron.php page each hour, on the hour:
0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php?cron_key=RANDOMTEXT
Replace the text "http://www.example.com/cron.php?cron_key=RANDOMTEXT" in the
example with the full URL displayed under "Cron maintenance tasks" on the
"Status report" page.
More information about cron maintenance tasks are available in the help pages
and in Drupal's online handbook at http://drupal.org/cron. Example scripts can
be found in the scripts/ directory.
and in Drupal's online handbook at http://drupal.org/cron. Example cron scripts
can be found in the scripts/ directory. (Note that these scripts must be
customized similar to the above example, to add your site-specific cron key
and domain name.)
DRUPAL ADMINISTRATION
---------------------
......
......@@ -8,4 +8,6 @@
include_once './includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
drupal_cron_run();
if (isset($_GET['cron_key']) && variable_get('cron_key', 'drupal') == $_GET['cron_key']) {
drupal_cron_run();
}
\ No newline at end of file
......@@ -170,11 +170,14 @@ function system_requirements($phase) {
}
}
$description .= ' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron')));
$description .= '<br />'. $t('To run cron from outside the site, go to <a href="!cron">!cron</a>', array('!cron' => url('cron.php', array('absolute' => true, 'query' => 'cron_key='. variable_get('cron_key', 'drupal')))));
$requirements['cron'] = array(
'title' => $t('Cron maintenance tasks'),
'severity' => $severity,
'value' => $summary,
'description' => $description .' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron'))),
'description' => $description
);
}
......@@ -404,6 +407,10 @@ function system_install() {
db_query("INSERT INTO {variable} (name, value) VALUES ('%s','%s')", 'filter_html_1', 'i:1;');
db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'node_options_forum', 'a:1:{i:0;s:6:"status";}');
$cron_key = md5(time());
db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'cron_key', serialize($cron_key));
}
/**
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment