Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In 52910, we introduced a cron key that prevents cron from executing from remote sites that don't know the key.
However, there is no upgrade path for this for existing sites, and hence using cron.php?cron_key=drupal
would work, defeating the whole purpose of this change.
This patch introduces an update for update.php generation of the cron key, so existing sites are protected.
I tested it and it works ... More tests appreciated.
Comment | File | Size | Author |
---|---|---|---|
#3 | 235821-2.patch | 1.22 KB | kbahey |
#1 | 235821.patch | 786 bytes | kbahey |
Comments
Comment #1
kbahey CreditAttribution: kbahey commentedAnd here is the patch
Comment #2
pwolanin CreditAttribution: pwolanin commentedI'd at least make it mt_rand() or some such rather than time() for the hash
Comment #3
kbahey CreditAttribution: kbahey commentedThis reroll changes the value used in the hash to be mt_rand(), instead of just time(), since it can be guessed by brute force.
Thanks to pwolanin for this idea.
Comment #4
Dries CreditAttribution: Dries commentedI've committed this patch to CVS HEAD. Thanks!
Comment #5
breyten CreditAttribution: breyten commentedIf we use mt_rand() here, we should reroll #52910: Restrict access to cron as well to use the same.
Comment #6
breyten CreditAttribution: breyten commented*coughs* nevermind me, sorry!
Comment #7
birdmanx35 CreditAttribution: birdmanx35 commentedComment #8
Anonymous (not verified) CreditAttribution: Anonymous commentedAutomatically closed -- issue fixed for two weeks with no activity.