Skip to content

Fix #40190: Block HTTP access to cron.php for security #40364

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
satishashilwar wants to merge 1 commit into
base: 2.4-develop
Choose a base branch
from
Open

Fix #40190: Block HTTP access to cron.php for security #40364

satishashilwar wants to merge 1 commit into from
+125 −2

Conversation

@satishashilwar
Copy link

@satishashilwar satishashilwar commented Dec 15, 2025
edited
Loading

  • Add security check at the top of pub/cron.php to block all HTTP requests
  • Return 403 Forbidden with clear message for web access attempts
  • Preserve CLI functionality with deprecation message pointing to bin/magento cron:run
  • Add comprehensive unit tests for both HTTP blocking and CLI behavior
  • Fixes security vulnerability and prevents runtime errors from HTTP execution
  • Resolves TypeError: implode(): Argument Can you commit to repository a folder dev/tests/static ? #1

The fix ensures cron.php is not accessible via web requests while maintaining backward compatibility for any existing CLI usage (though deprecated).
fix - #40190

Contribution checklist (*)

  • Pull request has a meaningful description of its purpose
  • All commits are accompanied by meaningful commit messages
  • All new or changed code is covered with unit/integration tests (if applicable)
  • README.md files for modified modules are updated and included in the pull request if any README.md predefined sections require an update
  • All automated tests passed successfully (all builds are green)

@satishashilwar
Fix magento#40190: Block HTTP access to cron.php for security
a8dedc5 
- Add security check at the top of pub/cron.php to block all HTTP requests
- Return 403 Forbidden with clear message for web access attempts
- Preserve CLI functionality with deprecation message pointing to bin/magento cron:run
- Add comprehensive unit tests for both HTTP blocking and CLI behavior
- Fixes security vulnerability and prevents runtime errors from HTTP execution
- Resolves TypeError: implode(): Argument magento#1 ($array) must be of type array issue

The fix ensures cron.php is not accessible via web requests while maintaining
backward compatibility for any existing CLI usage (though deprecated).
@m2-assistant
Copy link

m2-assistant bot commented Dec 15, 2025

Hi @satishashilwar. Thank you for your contribution!
Here are some useful tips on how you can test your changes using Magento test environment.
❗ Automated tests can be triggered manually with an appropriate comment:

  • @magento run all tests - run or re-run all required tests against the PR changes
  • @magento run <test-build(s)> - run or re-run specific test build(s)
    For example: @magento run Unit Tests

<test-build(s)> is a comma-separated list of build names.

Allowed build names are:
  1. Database Compare
  2. Functional Tests CE
  3. Functional Tests EE
  4. Functional Tests B2B
  5. Integration Tests
  6. Magento Health Index
  7. Sample Data Tests CE
  8. Sample Data Tests EE
  9. Sample Data Tests B2B
  10. Static Tests
  11. Unit Tests
  12. WebAPI Tests
  13. Semantic Version Checker

You can find more information about the builds here
ℹ️ Run only required test builds during development. Run all test builds before sending your pull request for review.

For more details, review the Code Contributions documentation.
Join Magento Community Engineering Slack and ask your questions in #github channel.

@satishashilwar
Copy link
Author

satishashilwar commented Dec 15, 2025

@magento run Unit Tests, Static Tests

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@satishashilwar