While looking trough my recent log events of linkchecker I "discovered" the url http://example.com/httprl_async_function_callback?count=1. :-)

I'm asking me if we need to secure the URL http://example.com/httprl_async_function_callback?count=1 with a hash like this is done for cron e.g. http://example.com/httprl_async_function_callback?count=1&httprl_key=[hash], so nobody tries to execute this url manually. Aside, will something go wrong if I run the url more than once while it's running or is there already lock?

Does it makes sense?

Comments

mikeytown2’s picture

mikeytown2 commented

I use POST and store the keys in the POST. I picked POST because URLs are pretty visible, thus putting the keys in a POST hides them at first glance.
$_POST['master_key'] (hash)
$_POST['temp_key'] (Lock)

If the master_key and temp_key do not pass the tests then I fast 403. You can see the code in question: http://drupalcode.org/project/httprl.git/blob/refs/heads/7.x-1.x:/httprl...

Doing a GET on http://example.com/httprl_async_function_callback should only result in a fast 403. Did I answer everything? :)

hass’s picture

hass commented
Category: feature » support
Status: Active » Fixed

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.