Security risk of $update_access_free = true in Drupal
What kind of potential security risk it raises if I开发者_如何学C left $update_access_free = TRUE
in Drupal on a production environment? In that case, everyone can run update.php. Assuming there are no updates available, what can an attacker do?
If left enabled, an attacker could run old updates, which in a good scenario would only bog down your site's performance, but in a worst-case scenario could result in data loss or data corruption.
I wouldn't even allow access as it is unnecessary.
Someone could constantly access and run this page, using system resources.
If what you are looking for is a way to easily update your site, you should add a cron job with a Drush command to update the site at mid night. Now, from time to time developers release module fixes or upgrade that might brake something on your site. Hopefully in Drupal 7 the update can be done using the site interface and I am sure there might be some sort of console module to keep multiple sites update.
精彩评论