CiviCRM Community Forums (archive)

Does it worry anyone that emails sent out using the civimail cronjob through the command line expose a valid username and password in the Internet headers for any email that is sent?

When I look at the Internet headers for an email sent by civimail (that is run through a cli cronjob) it shows me a valid username and password.

I just wondered if I am missing something or if this is expected behavior? Even with a relatively unprivileged user (just able to access civimail) it could open the site to possible abuses couldn't it?

I am running it as a cronjob via the shell. It reports the cronjob command with the parameters (which includes a username and password for the website). It reports the information under X-Source-Args in the Internet Headers.

I'm not a sysadmin expert (enough to mostly get things done and be a little dangerous), but I believe I have it setup for the civimail functions so that it doesn't call it via a URL, but uses PHP cli to execute the civicrm cron functions (they are in bold). I have included a sanitized version of my crontab to verify.

MAILTO="webmaster@*****.org"
0 0 * * * wget -O - -q -t 1 'http://www.*****.org/sites/all/modules/civicrm/bin/UpdateMembershipRecord.php?name=****&pass=*****&key=********'  >> /home/******/update_membership.logfile
*/15 * * * * wget -O - -q -t 1 http://www.*****.org/cron.php > /dev/null 2>&1
# This must be set to the directory where civicrm is installed.
CIVI_ROOT="/home/*******/public_html/current/sites/all/modules/civicrm"
USER=*****
#Location of the PHP Command Line Interface binary. nice -19 forces to run at a lower priority than the web server
PHP=nice -n19 /usr/local/bin/php

#line to be modified according to the informations below
PARAMS= -s*****.org -u******* -p********
#cronjob send
# m h  dom mon dow   command
*/5 * * * * cd $CIVI_ROOT;$PHP bin/civimail.cronjob.php $PARAMS
*/15 * * * * cd $CIVI_ROOT;$PHP bin/EmailProcessor.php #PARAMS