? files
Index: cron.php
===================================================================
RCS file: /cvs/drupal/drupal/cron.php,v
retrieving revision 1.34
diff -u -r1.34 cron.php
--- cron.php	31 Dec 2005 14:18:22 -0000	1.34
+++ cron.php	7 Mar 2006 16:18:39 -0000
@@ -9,6 +9,96 @@
 include_once './includes/bootstrap.inc';
 drupal_bootstrap(DRUPAL_BOOTSTRAP_FULL);
 
+
+if (variable_get('cron_security_enabled', '0') === '1') {
+  $cron_auth = FALSE;
+ 
+  /**
+   * PHP_SAPI constant available since PHP 4.2.0
+   * php_sapi_name() function available since PHP 4.0.1
+   */
+  if ( !defined('PHP_SAPI') ) {
+    define('PHP_SAPI', php_sapi_name());
+  }
+
+
+  define('CRON_SECURITY_TYPE_CLI', '1');
+  define('CRON_SECURITY_TYPE_IP', '0');
+
+  /**
+   *  Check what security type we have.
+   */
+  switch ( variable_get('cron_security_type', '1') ) {
+    
+    /**
+     * Allow only from cli
+     */
+    case CRON_SECURITY_TYPE_CLI:
+      /**
+       * TODO: test this in windows.
+       *
+       * Will this work with m$ windows Scheduled task??
+       * eg. when you setup a scheduled task to run 'php.exe cron.php'
+       */
+       
+      if ( PHP_SAPI === 'cli' ) {
+        $cron_auth = TRUE;
+      }
+      
+    break;
+    
+    /**
+     * Ip address based 
+     */
+    case CRON_SECURITY_TYPE_IP:
+      
+      $cron_ips = explode("\n", variable_get('cron_security_ips', ''));
+      $cron_rhost =& $_SERVER['REMOTE_ADDR'];
+
+      foreach ($cron_ips as $cron_ip) {
+        $cron_ip = rtrim($cron_ip);
+        if (($cron_ip != ('' && NULL)) && (substr($cron_rhost,0,strlen($cron_ip)) === $cron_ip)) {
+          $cron_auth = TRUE;
+          break;
+        }
+      }
+      
+    break;
+  }
+
+  if ( $cron_auth === FALSE ) {
+    
+    if (variable_get('cron_security_log', '1') === '1') {
+      watchdog('cron_security', t('Unauthorized request to file %cron', array('%cron' => '<em>cron.php</em>')), WATCHDOG_WARNING);
+    }
+    
+    /**
+     * maby it would be better to always just:
+     *   die();
+     * insted of displaying some fancy error messages.
+     */
+    if (PHP_SAPI != 'cli') {
+      /**
+       * RFC2616
+       * 10.4.4 403 Forbidden
+       * The server understood the request, but is refusing to fulfill it...
+       */
+      drupal_set_header("HTTP/1.1 403 Forbidden");
+      
+      drupal_maintenance_theme();
+      drupal_set_title('Forbidden');
+      print theme('maintenance_page', NULL);
+    } 
+    else {
+      printf("%s\n",t('You are not allowed to access this file'));
+    }
+    
+    die();
+    
+  }
+  
+}
+
 // If not in 'safe mode', increase the maximum execution time:
 if (!ini_get('safe_mode')) {
   set_time_limit(240);
Index: modules/system.module
===================================================================
RCS file: /cvs/drupal/drupal/modules/system.module,v
retrieving revision 1.297
diff -u -r1.297 system.module
--- modules/system.module	4 Mar 2006 17:49:21 -0000	1.297
+++ modules/system.module	7 Mar 2006 16:18:41 -0000
@@ -466,6 +466,47 @@
   $form['cron'] = array('#type' => 'fieldset', '#title' => t('Cron jobs'), '#collapsible' => TRUE, '#collapsed' => TRUE);
   $form['cron'] = array_merge($form['cron'], system_cron_settings());
 
+  // Cron: security.
+  $form['cron']['cron_security'] = array(
+    '#type' => 'fieldset', 
+    '#title' => t('Cron security'),
+    '#collapsible' => TRUE, 
+    '#collapsed' => TRUE
+  );
+                                 
+  $form['cron']['cron_security']['cron_security_enabled'] = array(
+    '#type' => 'radios', 
+    '#title' => t('cron security'), 
+    '#options' => array(t('disabled'),t('enabled')),
+    '#default_value' => variable_get('cron_security_enabled', '0'),
+    '#description' => t('When enabled, only specified hosts are allowed to run cron jobs')
+    
+  );
+                                            
+  $form['cron']['cron_security']['cron_security_type'] = array(
+    '#type' => 'select', 
+    '#title' => t('Security type'), 
+    '#options' => array(t('ip address based'), t('command line only')),
+    '#default_value' => variable_get('cron_security_type','0'),
+    '#description' => t('<strong>ip address based:</strong> only allow access to cron only from specific ip addresses<br /><strong>command line only:</strong> Allow cron to be run only from command line interface (eg. from local crontab using "php /path/to/cron.php")')
+  );
+                                         
+  $form['cron']['cron_security']['cron_security_ips'] = array(
+    '#type' => 'textarea', 
+    '#input' => TRUE, 
+    '#title' => t('ip addresses that are allowed to access cron'), 
+    '#description' => t('When security type is set to ip address based, enter the list of allowed ip addresses here. one ip address per line. This can also be the begining of the address. For example if you want to allow all computers from same network to run cron jobs on this drupal installation, you can add an entry like 10.0.0.'),
+    '#default_value' => variable_get('cron_security_ips', '127.0.0.1')
+  );
+
+  $form['cron']['cron_security']['cron_security_log'] = array(
+    '#type' => 'checkbox',
+    '#input' => TRUE,
+    '#title' => t('log unauthorized requests to cron.php'),
+    '#default_value' => variable_get('cron_security_log', '1')
+
+  );
+
   // Check database setup if necessary
   if (function_exists('db_check_setup') && empty($_POST)) {
     db_check_setup();