Because function request_uri() doesn't return the protocol and host like http://www.example.com/cron.php.
If we set
$base_url = 'http://www.example.com';
, the by pass will be failed.
So, the old method is better.

if (!$securesite_enabled || strstr(request_uri(),'cron.php')) {
	return;
}
CommentFileSizeAuthor
#4 securesite-179618.patch1.02 KBNaX

Comments

Kirin_Lin@drupaltaiwan.org’s picture

Kirin_Lin@drupaltaiwan.org commented

I think this issue again, maybe this one can be used:

  // bypass cron.php
  $corn_uri = preg_replace('/^(http|https):\/\/[\d\w.:]*/i','',$base_url .'/cron.php');
  if (!$securesite_enabled ||  request_uri() == $corn_uri) {
    return;
  }
Kirin_Lin@drupaltaiwan.org’s picture

Kirin_Lin@drupaltaiwan.org commented

the pattern should be

/^(http|https):\/\/[\d\w.-:]*/i

I forgot the hyphen(-).

gábor hojtsy’s picture

gábor hojtsy
he/him
Primary language Hungarian
Location Hungary
commented
Title: block cron.php access if $base_url is set. » cron.php still requires authentication!
Priority: Normal » Critical

I think this check is completely faulty. request_uri() does not contain the domain, so the $base_url should not be looked for in it as far as I see. The cron is only able to run with this modification our my site.

  // Gabor: $base_url removed as our request_uri() does not contain that.
  if (!$securesite_enabled ||  request_uri() == /*$base_url .*/'/cron.php') {

Look at http://api.drupal.org/api/function/request_uri/5 and see for yourself. Although I am a fresh user of this module, this kind of error does not give that good an impression. This is a quite basic functionality which should not be broken.

NaX’s picture

NaX commented
StatusFileSize
new securesite-179618.patch1.02 KB

Patch with a simple fix, using $base_path.

NaX’s picture

NaX commented
Version: 5.x-1.0 » 5.x-1.x-dev
Status: Active » Fixed

Committed to dev.

Anonymous’s picture

(not verified) commented
Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.