By peterk900 on

I have external  php scripts that  bootstraps Drupal to insert nodes.  Access to the folder where the script resides is prevented for a non-authenticated user - however if you know the script name then it seems that anyone could paste the url into a browser and run the script.   This seems like a security weakness - what do I need to do to overcome this problem ? Thanks. 

Categories: Drupal 7.x

Comments

Jaypan’s picture

Jaypan commented

Create a module that executes the script at a certain path, and put permissions on to that path.

peterk900’s picture

peterk900 commented

Thank you - that's certainly one way of doing it.  But if I'm creating a module then I guess cURL/Bootstrapping isn't needed.

What I was hoping was to protect an external php script like this :

<?php
chdir('../mmclone1');
define('DRUPAL_ROOT', getcwd());
require_once DRUPAL_ROOT . '/includes/bootstrap.inc';
drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);

if ($_GET["name"] != 'xx9'){
	print t('Not Authorised');
	
	
	exit();
}	

chdir('../php1');

$node = new stdClass();
  $node->title = "Test 996 Title";
  $node->type = "article";
  node_object_prepare($node); // Sets some defaults. Invokes hook_prepare() and hook_node_prepare().
  $node->language = LANGUAGE_NONE; // Or e.g. 'en' if locale is enabled
  $node->body[$node->language][0]['value']   = "Test1";
  $node->uid = 1;
  $node->status = 1; //(1 or 0): published or not
  $node->promote = 0; //(1 or 0): promoted to front page
  $node->comment = 0; // 0 = comments disabled, 1 = read only, 2 = read/write
  $node = node_submit($node); // Prepare node for saving
  node_save($node);
  echo "Inserted article!";

This code runs from a non-Drupal folder on the same server as the Drupal site where the node is being inserted.  If I want to access a Drupal site on another server ( another domain ) then I can include the BOOTSTRAP code in a cURL script. 

As an attempt at 'security' the code will only work if the parameter xx9 is supplied. So if someone finds out the file name ( I don't mean get access to the script code ), they can't run the file unless they know the parameter.

I guess you could get the parameter value for the Drupal variables table, which would mean it could be changed regularly. I suppose you could wrap the parameter in some other characters - e.g. date and time in reverse, and then test that the scrambled date and time was within 1 minute of when the script was run.

But all this is a bit tacky ! It would be nice if the script could just include a username and password - just like you would do if you were connecting a non-Drupal script to MySQL.  But it doesn't see mto work like that.