Reputation: 2344
Prevent script requested by CURL (via CRON) from running in browser
I have a script which is called via a CURL request in a CRON task once a day. I would like to protect it from being executed on my live domain through a direct browser get request.
At this time I cannot move the CRON to reside above the web root. My current CRON task looks like:
curl -q https://example.com/cron/daily/ > /dev/null
And then in the head of my CRON controller I was going to use something like:
if ((in_array($_SERVER["HTTP_HOST"], $this->config->item('live_domains'))) AND (IS_CURL)) {
show_error("Daily CRON tasks can only be run from the command line on the live server.");
}
Upvotes: 1
Views: 548
Answers (1)
Reputation: 69937
If the cron script runs from the same server things are hosted on, you should be able to add:
if ($_SERVER['REMOTE_ADDR'] != '127.0.0.1') {
show_error("Daily CRON tasks can only be run from the command line on the live server.");
}
Or swap 127.0.0.1 with the allowed IP addresses it can run from.
Other than that there is no bullet-proof way to distinguish the job is being run from cURL and is not being spoofed.
Or as CollinD suggested, using a secret token as a parameter and check that.
A better bet might be to use .htaccess:
<Location /cron>
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
</Location>
Using this method, you don't need to modify the PHP code, just use Apache to allow/deny access to the cron scripts based on IP.
Upvotes: 1
Related Questions
- Running a cron every 30 seconds
- Running a cron job at 2:30 AM every day
- Display curl output in readable JSON format in Unix shell script
- Getting only response header from HTTP POST using cURL
- What is the curl error 52 "empty reply from server"?
- Returning JSON from a PHP Script
- Run cURL commands from Windows console
- Detecting if a Cron job is running on a staging server