- Patch #52910 by kbahey, keith.smith, Susurrus, et al: restict access to cron.php.

2008-03-17 16:53:58 +00:00 · 2008-03-17 16:53:58 +00:00 · 45097b78b7
parent 2e2c2bcac0
commit 45097b78b7
4 changed files with 33 additions and 12 deletions
--- a/CHANGELOG.txt
+++ b/CHANGELOG.txt
@ -2,6 +2,8 @@

 Drupal 7.0, xxxx-xx-xx (development version)
 ----------------------
+- Security:
+    * Protected cron.php -- cron will only run if the proper key is provided.
 - Usability:
    * Implemented drag-and-drop positioning for input format listings.
    * Provide descriptions for permissions on the administration page.
--- a/INSTALL.txt
+++ b/INSTALL.txt
@ -207,20 +207,30 @@ INSTALLATION
   maintenance task, including search module (to build and update the index
   used for keyword searching), aggregator module (to retrieve feeds from other
   sites), and system module (to perform routine maintenance and pruning on
-   system tables).
-   To activate these tasks, call the cron page by visiting
-   http://www.example.com/cron.php, which, in turn, executes tasks on behalf
-   of installed modules.
+   system tables). To activate these tasks, visit the page "cron.php", which
+   executes maintenance tasks on behalf of installed modules. The URL of the
+   cron.php page requires a "cron key" to protect against unauthorized access.
+   Each cron key is automatically generated during installation and is specific
+   to your site. The full URL of the page, with cron key, is available in the
+   "Cron maintenance tasks" section of the "Status report page" at:

-   Most systems support the crontab utility for scheduling tasks like this. The
-   following example crontab line will activate the cron tasks automatically on
-   the hour:
+          Administer > Reports > Status report

-   0   *   *   *   *   wget -O - -q -t 1 http://www.example.com/cron.php
+   Most systems support using a crontab utility for automatically executing
+   tasks like visiting the cron.php page. The following example crontab line
+   uses wget to automatically visit the cron.php page each hour, on the hour:
+
+   0   *   *   *   *   wget -O - -q -t 1 http://www.example.com/cron.php?cron_key=RANDOMTEXT
+
+   Replace the text "http://www.example.com/cron.php?cron_key=RANDOMTEXT" in the
+   example with the full URL displayed under "Cron maintenance tasks" on the
+   "Status report" page.

   More information about cron maintenance tasks are available in the help pages
-   and in Drupal's online handbook at http://drupal.org/cron. Example scripts can
-   be found in the scripts/ directory.
+   and in Drupal's online handbook at http://drupal.org/cron. Example cron scripts
+   can be found in the scripts/ directory. (Note that these scripts must be
+   customized similar to the above example, to add your site-specific cron key
+   and domain name.)

 DRUPAL ADMINISTRATION
 ---------------------
--- a/cron.php
+++ b/cron.php
@ -8,4 +8,6 @@

 include_once './includes/bootstrap.inc';
 drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
-drupal_cron_run();
+if (isset($_GET['cron_key']) && variable_get('cron_key', 'drupal') == $_GET['cron_key']) {
+  drupal_cron_run();
+}
--- a/modules/system/system.install
+++ b/modules/system/system.install
@ -170,11 +170,14 @@ function system_requirements($phase) {
      }
    }

+    $description .= ' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron')));
+    $description .= '<br />'. $t('To run cron from outside the site, go to <a href="!cron">!cron</a>', array('!cron' => url('cron.php', array('absolute' => true, 'query' => 'cron_key='. variable_get('cron_key', 'drupal')))));
+
    $requirements['cron'] = array(
      'title' => $t('Cron maintenance tasks'),
      'severity' => $severity,
      'value' => $summary,
-      'description' => $description .' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron'))),
+      'description' => $description
    );
  }

@ -404,6 +407,10 @@ function system_install() {
  db_query("INSERT INTO {variable} (name, value) VALUES ('%s','%s')", 'filter_html_1', 'i:1;');

  db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'node_options_forum', 'a:1:{i:0;s:6:"status";}');
+
+  $cron_key = md5(time());
+
+  db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'cron_key', serialize($cron_key));
 }

 /**