Store Community Support Documentation
pjcasanis
Hi,
I got my server guys to set up the Cron Job required for 4.4.3. They've done it but they've got concerns.
Can you re-assure me please??
They say this:
------------------------
I just had a quick look at the script which the cron tab runs, just to see what it does really.... and I found this....
Just so that you are aware, running eval'd code is generally a bad idea unless you really know what you're doing. (Plenty articles about this available online).
Also, since being added, the script looks to take about 10 mins to run , ( so running every 5 mins as suggested could cause overlap problems)
OUTPUT
Notice: Undefined index: REQUEST_URI in /var/www/html/mysite.com/PF.Site/Apps/MySITE_API/start.php on line 9
Process 1 job(s) in 600.09052991867
(600 seconds = 10 minutes)
I've modified the schedule to run every 15 mins instead of every 5, so that they do not overlap
I've also be curious as to a php script that takes 10 mins to run!
---------------------
In the case of MySITE_API, it's a custom module that talks to an app.
Do I simply tell my hosts not to run the script on that app but it's fine with all of the others??
Thanks for your help.
Paul
Last update on October 10, 1:45 pm by Donna(data66).
Donna(data66)
#1
You did not follow the posted forum rules. I have removed your code as it was not in code tags as we require.
Donna(data66)
#2
Since the issue appears to be with a third party app, please ask the developer of the app.
pjcasanis
#3
Since the issue appears to be with a third party app, please ask the developer of the app.
Yes, I have done that, but the first part of the question isn't related to the 3rd party app, it's related to some general security concerns of the eval'd code on the cron. Can your tech guys confirm that it's secure and if there anything that we should be careful of.
After all, if we are using custom 3rd party operators (which we are encouraged to do so), we should all be very careful about the eval code in certain environments. Just looking for a thumbs up and any areas we should be careful about, that's all!!
JohnJr
#4
I am not positive but I am pretty sure he is talking about phpfox cron job. I did a fresh install of 4.43 and to make sure I didn't forget anything I went to the install page on phpfox. At the bottom of the webpage I found this and thought...ok I will set it up now before my other add-ons (as some of my add-ons do have cron jobs but I never did it for just phpfox) so I followed the instructions below.
Set up Cron
Our version 4.4 and up requires a Cron to be set up . This is for several things that used to be done via the old phpFox cron. That process doesn't run now. In order to have the old messages deleted, group notifications, importing/converting old v4 groups to the new Groups app, and several other important tasks, you must set up the cron.
I then went and ran it and I thought my system locked up. I finally went onto something else in another tab and after a long time it finished. I though it failed but I did receive an email on its completion. I looked in my logs and in the email was correct as it took 600 seconds to finish and I have a really fast dedicated server so I thought forget running that every 5 minutes and only run it once a day and 3am in the morning. Here is the email....something is not right as it shouldn't take more than 30 seconds...no 600.
Cron /usr/bin/php -f '/var/www/vhosts/mydomain.com/httpdocs/cron.php'
(Cron Daemon) [myserver@u19356956.onlinehome-server.com]
Process 3 job(s) in 600.16387295723
Donna(data66)
#5
Yes, I have done that, but the first part of the question isn't related to the 3rd party app, it's related to some general security concerns of the eval'd code on the cron. Can your tech guys confirm that it's secure and if there anything that we should be careful of.
After all, if we are using custom 3rd party operators (which we are encouraged to do so), we should all be very careful about the eval code in certain environments. Just looking for a thumbs up and any areas we should be careful about, that's all!!
Our v4.4 was released after very careful and thorough check of all of the code for security as our blog post mentioned. If you have a security concern, never post that in an open forum. Instead, send us a support ticket marked Security Concern and then state what the concern is so that our core developers can double check the code to ensure nothing was missed. We prefer any security concerns to be in private tickets so that we can check things out. Otherwise, if they are put in the open and if there were an issue we missed, you would have alerted people that can take advantage of such issues.
You do not need paid support to submit a ticket to us regarding security concerns. Note that our core developers would check our own default code, not your site, for any security related concerns raised and they would then respond accordingly in the ticket.
Last update on October 10, 2:03 pm by Donna(data66).
JohnJr
#6
Forgot to say that is the only cron I am currently running.
pjcasanis
#7
Our v4.4 was released after very careful and thorough check of all of the code for security as our blog post mentioned. If you have a security concern, never post that in an open forum. Instead, send us a support ticket marked Security Concern and then state what the concern is so that our core developers can double check the code to ensure nothing was missed. We prefer any security concerns to be in private tickets so that we can check things out. Otherwise, if they are put in the open and if there were an issue we missed, you would have alerted people that can take advantage of such issues.
You do not need paid support to submit a ticket to us regarding security concerns. Note that our core developers would check our own default code, not your site, for any security related concerns raised and they would then respond accordingly in the ticket.
Thanks Donn, it's good to know security concerns can be posted in private. I thought I needed a valid support account. This should be made clearer.
However, I see that somebody else on this ticket has also commented about the same execution time issue, so maybe not something related specifically to the 3rd party app that I have.
Should I post something to the support ticket now, or, because it is raised here, should I leave things as they are?
Thanks
PJ
Donna(data66)
#8
We have stated in threads to always post security issues in our private ticket system and never in an open forum. Please post if you think there is a security issue.
Donna(data66)
#9
Please note that we have the cron running here, on our demo, on my live dev site and many client sites without an issue. However, if you think there is a bug (not the possible security issue raised and mentioned to post in a ticket) then you would post that at github instead.
pjcasanis
#10
We have stated in threads to always post security issues in our private ticket system and never in an open forum. Please post if you think there is a security issue.
Ok, thanks Donna. I've now posted in there. Sorry for posting in wrong section.
Mikel Coreclark
#11
Hello people.
I am just reading all your chat.
I have recently upgraded to v4.4.3.
Please can you tell me what server host you are using ?
I am on arvixe at the moment and ive not had the issues you seam to be having. I may just be the lucky one. ive checked my server settings and my script and all works fine with the timings and refreshing and updates. When I upgrade the script it is very quick, less than 3 minutes. never more than 6 minutes unless internet is running slow because of demand.
maybe its something I should lookout for in the future.
mikel
Donna(data66)
#12
Hello people.
I am just reading all your chat.
I have recently upgraded to v4.4.3.
Please can you tell me what server host you are using ?
I am on arvixe at the moment and ive not had the issues you seam to be having. I may just be the lucky one. ive checked my server settings and my script and all works fine with the timings and refreshing and updates. When I upgrade the script it is very quick, less than 3 minutes. never more than 6 minutes unless internet is running slow because of demand.
maybe its something I should lookout for in the future.
mikel
I'm on Cazaratech/ phpfoxsolutions for my sites that work fine. In case anyone needed that info.
JohnJr
#13
Mikel,
I was referring to the cron job required by phpfox now. I never set one up for phpfox but now it is needed for several things. You get your cron address under AdminCp/tools/settings/cron. So after it is set up on your server you can set it up to email you a report which tells me that it was successful but takes 600 seconds plus to run. I have a dedicated server with 16gb of ram and a ssd. No one else is on my server....and I don't have other stuff running like bind or email service so it is pretty fast for just a website.
In regards to install...it went perfect this time (besides the spam issue on my first install) and I give a shout out to the coders because as computer guy I think V4 is a lot better than V4. There I said it...and yes we may be missing a few things that I wish we had but the core seems faster and upgrading is a lot easier!
I did check out the cron.php file and I did notice this
$jobs = Phpfox::getLib('cron')-getReadyJobs();
foreach ($jobs as $job) {
eval($job);
}
I do have younet job module so maybe this is affecting it....although the I have no jobs listed as it is a fresh install.
Donna(data66)
#14
Thank you posting and letting us know of your security concern.
Our core developers have checked and provided the following feedback:
"We use this function to execute hook code from 3rd-party apps and cron job code.
They are normal functions. We use the function eval everywhere in our code.
As a quick search, we use them 1607 times in our code. There is no need for concern."