diff options
| -rw-r--r-- | CHANGELOG.txt | 2 | ||||
| -rw-r--r-- | INSTALL.txt | 30 | ||||
| -rw-r--r-- | cron.php | 4 | ||||
| -rw-r--r-- | modules/system/system.install | 9 |
4 files changed, 33 insertions, 12 deletions
diff --git a/CHANGELOG.txt b/CHANGELOG.txt index 7b44c75af..102892f41 100644 --- a/CHANGELOG.txt +++ b/CHANGELOG.txt @@ -2,6 +2,8 @@ Drupal 7.0, xxxx-xx-xx (development version) ---------------------- +- Security: + * Protected cron.php -- cron will only run if the proper key is provided. - Usability: * Implemented drag-and-drop positioning for input format listings. * Provide descriptions for permissions on the administration page. diff --git a/INSTALL.txt b/INSTALL.txt index a15786c95..93a627ce0 100644 --- a/INSTALL.txt +++ b/INSTALL.txt @@ -207,20 +207,30 @@ INSTALLATION maintenance task, including search module (to build and update the index used for keyword searching), aggregator module (to retrieve feeds from other sites), and system module (to perform routine maintenance and pruning on - system tables). - To activate these tasks, call the cron page by visiting - http://www.example.com/cron.php, which, in turn, executes tasks on behalf - of installed modules. + system tables). To activate these tasks, visit the page "cron.php", which + executes maintenance tasks on behalf of installed modules. The URL of the + cron.php page requires a "cron key" to protect against unauthorized access. + Each cron key is automatically generated during installation and is specific + to your site. The full URL of the page, with cron key, is available in the + "Cron maintenance tasks" section of the "Status report page" at: - Most systems support the crontab utility for scheduling tasks like this. The - following example crontab line will activate the cron tasks automatically on - the hour: + Administer > Reports > Status report - 0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php + Most systems support using a crontab utility for automatically executing + tasks like visiting the cron.php page. The following example crontab line + uses wget to automatically visit the cron.php page each hour, on the hour: + + 0 * * * * wget -O - -q -t 1 http://www.example.com/cron.php?cron_key=RANDOMTEXT + + Replace the text "http://www.example.com/cron.php?cron_key=RANDOMTEXT" in the + example with the full URL displayed under "Cron maintenance tasks" on the + "Status report" page. More information about cron maintenance tasks are available in the help pages - and in Drupal's online handbook at http://drupal.org/cron. Example scripts can - be found in the scripts/ directory. + and in Drupal's online handbook at http://drupal.org/cron. Example cron scripts + can be found in the scripts/ directory. (Note that these scripts must be + customized similar to the above example, to add your site-specific cron key + and domain name.) DRUPAL ADMINISTRATION --------------------- @@ -8,4 +8,6 @@ include_once './includes/bootstrap.inc'; drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL); -drupal_cron_run(); +if (isset($_GET['cron_key']) && variable_get('cron_key', 'drupal') == $_GET['cron_key']) { + drupal_cron_run(); +}
\ No newline at end of file diff --git a/modules/system/system.install b/modules/system/system.install index 8e0cb9409..c1854b20f 100644 --- a/modules/system/system.install +++ b/modules/system/system.install @@ -170,11 +170,14 @@ function system_requirements($phase) { } } + $description .= ' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron'))); + $description .= '<br />'. $t('To run cron from outside the site, go to <a href="!cron">!cron</a>', array('!cron' => url('cron.php', array('absolute' => true, 'query' => 'cron_key='. variable_get('cron_key', 'drupal'))))); + $requirements['cron'] = array( 'title' => $t('Cron maintenance tasks'), 'severity' => $severity, 'value' => $summary, - 'description' => $description .' '. $t('You can <a href="@cron">run cron manually</a>.', array('@cron' => url('admin/reports/status/run-cron'))), + 'description' => $description ); } @@ -404,6 +407,10 @@ function system_install() { db_query("INSERT INTO {variable} (name, value) VALUES ('%s','%s')", 'filter_html_1', 'i:1;'); db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'node_options_forum', 'a:1:{i:0;s:6:"status";}'); + + $cron_key = md5(time()); + + db_query("INSERT INTO {variable} (name, value) VALUES ('%s', '%s')", 'cron_key', serialize($cron_key)); } /** |