From f6734be1a17d3be5875138701fc1c5cb2831cf7c Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 29 Nov 2016 17:08:44 +0100
Subject: [PATCH] Fix security hole. Add quick and fast hack to fix it

---
 htdocs/cron/admin/cron.php | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/htdocs/cron/admin/cron.php b/htdocs/cron/admin/cron.php
index 697b24fcc1e..5b517857c7c 100644
--- a/htdocs/cron/admin/cron.php
+++ b/htdocs/cron/admin/cron.php
@@ -88,9 +88,20 @@ print "</tr>";
 
 print '<tr class="impair">';
 print '<td class="fieldrequired">'.$langs->trans("KeyForCronAccess").'</td>';
-print '<td><input type="text" class="flat" id="CRON_KEY" name="CRON_KEY" value="'. (GETPOST('CRON_KEY')?GETPOST('CRON_KEY'):(! empty($conf->global->CRON_KEY)?$conf->global->CRON_KEY:'')) . '" size="40">';
-if (! empty($conf->use_javascript_ajax))
-	print '&nbsp;'.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_token" class="linkobject"');
+$disabled='';
+if (! empty($conf->global->CRON_DISABLE_KEY_CHANGE)) $disabled=' disabled="disabled"';
+print '<td>';
+if (empty($conf->global->CRON_DISABLE_KEY_CHANGE)) 
+{
+    print '<input type="text" class="flat minwidth200"'.$disabled.' id="CRON_KEY" name="CRON_KEY" value="'. (GETPOST('CRON_KEY')?GETPOST('CRON_KEY'):(! empty($conf->global->CRON_KEY)?$conf->global->CRON_KEY:'')) . '">';
+    if (! empty($conf->use_javascript_ajax))
+    	print '&nbsp;'.img_picto($langs->trans('Generate'), 'refresh', 'id="generate_token" class="linkobject"');
+}
+else 
+{
+    print (! empty($conf->global->CRON_KEY)?$conf->global->CRON_KEY:''); 
+    print '<input type="hidden" id="CRON_KEY" name="CRON_KEY" value="'. (GETPOST('CRON_KEY')?GETPOST('CRON_KEY'):(! empty($conf->global->CRON_KEY)?$conf->global->CRON_KEY:'')) . '">'; 
+}
 print '</td>';
 print '<td>&nbsp;</td>';
 print '</tr>';