Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.In 52910, we introduced a cron key that prevents cron from executing from remote sites that don't know the key.
However, there is no upgrade path for this for existing sites, and hence using cron.php?cron_key=drupal would work, defeating the whole purpose of this change.
This patch introduces an update for update.php generation of the cron key, so existing sites are protected.
I tested it and it works ... More tests appreciated.
| Comment | File | Size | Author |
|---|---|---|---|
| #3 | 235821-2.patch | 1.22 KB | kbahey |
| #1 | 235821.patch | 786 bytes | kbahey |
Comments
Comment #1
kbahey commentedAnd here is the patch
Comment #2
pwolanin commentedI'd at least make it mt_rand() or some such rather than time() for the hash
Comment #3
kbahey commentedThis reroll changes the value used in the hash to be mt_rand(), instead of just time(), since it can be guessed by brute force.
Thanks to pwolanin for this idea.
Comment #4
dries commentedI've committed this patch to CVS HEAD. Thanks!
Comment #5
breyten commentedIf we use mt_rand() here, we should reroll #52910: Restrict access to cron as well to use the same.
Comment #6
breyten commented*coughs* nevermind me, sorry!
Comment #7
birdmanx35 commentedComment #8
Anonymous (not verified) commentedAutomatically closed -- issue fixed for two weeks with no activity.