Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By modul on
Hi all,
Just a (pretty worrying) idea: "cron.php" (and "update.php") are usually available in any Drupal's root. Don't they offer ways to nitwits who want to bombard my site with unwanted "activities"? Update.php does an access check, so that should cause no problems. But for cron.php, things look different. I mean, if I simply put cron.php in an automated script to have it carried out 10,000 times, which can be done in a couple of lines, won't that be effectively blocking my site from genuine users??? Am I just seeing ghosts here?
Comments
Why are you worried about
Why are you worried about cron.php over, say, index.php or any other URL on your site?
File Permissions
The file permissions on the cron.php could stop people from accessing it and running it. If you're so paranoid, set them to under 600 or move or change the file name before you run cron.
In almost all hosting
In almost all hosting setups, setting permissions on cron.php to 600 will make it inaccessible via the web, which means it can never be run, at least not in the manner in which Drupal recommends you set it up.
As far as I can tell, the
As far as I can tell, the scripts don't run unless one is logged in as an administrator.
Sure it runs. Just enter
Sure it runs. Just enter example.com/cron.php... I just tried it and it runs from wherever I execute it.
Paranoid? Maybe.
Paranoid? Maybe.
You would like a check in cron.php limiting it to, let's say, 100 times per hour? 1 time per minute?
Shouldn't be too hard.. But then again. Opening the front page of your site with the same script would probably do more harm.
Dinilu.eu & Dinilu.nl & Dinilu.de & www.tit.nl
=-=
or at the very least the same amount of harm. DOS's can happen on any page of any site.
But cron is more worse,
But cron is more worse, because it takes a lot of cpu and if you run it 500 times, you cant browse the website any longer.
And if I run 500 times the index.php, its still ok with browsing.
Anyway, how could we prevent executing cron.php from outside the server/lan?
Some host their drupal on Windows, there is no 600 permission etc....
=-=
Actually if cron isn't slated to do anything it doesn't run anything.
if all search content has been indexed , call cache regenerated and all other tasks completed then .........
if one has 200 querries on a font page, and index.php is called 500 times, thats a quick 10,000 querries : )
I'd think if this really was as major a problem as you are putting forth, there were be hundreds of threads about it on Drupal.org from site owners who've had their site taken down by this type of situation as cron.php has been in the drupal root for quite some time.
If anon visitors run cron.php, they are actually helping you more then hurting you by keeping your site up to date and fresh.
I believe there is a contrib module called poormans cron that uses anon users to keep cron.php run at regular intervals based on having anon users trip the threshold in cases where they may not have or may not understand how to set up and run cron jobs.
Yes, but some modules, like
Yes, but some modules, like xmlsitemap, send the sitemap out during cron runs... I dont know what happen if I call cron 100 times within a short period of time... itmight send out the xmlmap a hundred times...?
Actually, the recommended
Actually, the recommended way of running cron automatically always does so as an anonymous user.