Commit ff3cb663 authored by Drew Webber's avatar Drew Webber
Browse files

Issue #2431283 by willzyx, salvis, David_Rothstein, thalles, Berdir, Fabianx,...

Issue #2431283 by willzyx, salvis, David_Rothstein, thalles, Berdir, Fabianx, tstoeckler, alexpott, Dave Reid, mcdruid: Cron CSRF vulnerability
parent a390092d
Loading
Loading
Loading
Loading
+4 −0
Original line number Diff line number Diff line
@@ -2366,6 +2366,10 @@ function system_status($check = FALSE) {
 * Menu callback: run cron manually.
 */
function system_run_cron() {
  if (!isset($_GET['token']) || !drupal_valid_token($_GET['token'], 'run-cron')) {
    return MENU_ACCESS_DENIED;
  }

  // Run cron manually
  if (drupal_cron_run()) {
    drupal_set_message(t('Cron ran successfully.'));
+1 −1
Original line number Diff line number Diff line
@@ -3175,7 +3175,7 @@ function hook_requirements($phase) {
      );
    }

    $requirements['cron']['description'] .= ' ' . $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron')));
    $requirements['cron']['description'] .= ' ' . $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron', array('query' => array('token' => drupal_get_token('run-cron'))))));

    $requirements['cron']['title'] = $t('Cron maintenance tasks');
  }
+1 −1
Original line number Diff line number Diff line
@@ -339,7 +339,7 @@ function system_requirements($phase) {
      $description = $t('Cron has not run recently.') . ' ' . $help;
    }

    $description .= ' ' . $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron')));
    $description .= ' ' . $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron', array('query' => array('token' => drupal_get_token('run-cron'))))));
    $description .= '<br />' . $t('To run cron from outside the site, go to <a href="!cron">!cron</a>', array('!cron' => url($base_url . '/cron.php', array('external' => TRUE, 'query' => array('cron_key' => variable_get('cron_key', 'drupal'))))));

    $requirements['cron'] = array(
+16 −0
Original line number Diff line number Diff line
@@ -925,6 +925,22 @@ class CronRunTestCase extends DrupalWebTestCase {
    $this->assertEqual($result, 'success', 'Cron correctly handles exceptions thrown during hook_cron() invocations.');
  }

  /**
   * Ensure that the manual cron run is working.
   */
  function testManualCron() {
    $admin_user = $this->drupalCreateUser(array('administer site configuration'));
    $this->drupalLogin($admin_user);

    $this->drupalGet('admin/reports/status/run-cron');
    $this->assertResponse(403);

    $this->drupalGet('admin/reports/status');
    $this->clickLink(t('run cron manually'));
    $this->assertResponse(200);
    $this->assertText(t('Cron ran successfully.'));
  }

  /**
   * Tests that hook_flush_caches() is not invoked on every single cron run.
   *
+2 −1
Original line number Diff line number Diff line
@@ -367,8 +367,9 @@ function update_cache_clear_submit($form, &$form_state) {
 */
function _update_no_data() {
  $destination = drupal_get_destination();
  $cron_token = array('token' => drupal_get_token('run-cron'));
  return t('No update information available. <a href="@run_cron">Run cron</a> or <a href="@check_manually">check manually</a>.', array(
    '@run_cron' => url('admin/reports/status/run-cron', array('query' => $destination)),
    '@run_cron' => url('admin/reports/status/run-cron', array('query' => $cron_token + $destination)),
    '@check_manually' => url('admin/reports/updates/check', array('query' => $destination)),
  ));
}