Merge pull request #17 from Adjokip/master

Fix Remote Arbitrary Command Execution

lang/English/modules/cron.php

@@ -44,4 +44,5 @@ define('OGP_LANG_refresh_interval', "Refresh Interval");
 define('OGP_LANG_cron_no_servers_tied_to_account', "There are no game servers directly assigned to your account.");
 define('OGP_LANG_cron_admin_link_display_text', "Cron Administration (All Servers)");
 define('OGP_LANG_cron_admin_no_ogp_servers_to_display', "There aren't any game servers currently configured in OGP.");
-?>
+define('OGP_LANG_bad_inputs', "Scheduled time contains invalid characters.");
+?>

modules/cron/cron.php

@@ -30,7 +30,7 @@ require_once('modules/cron/shared_cron_functions.php');
 
 function exec_ogp_module() 
 {
-	global $db;
+	global $db, $view;
 	$r_servers = $db->getRemoteServers();
 	$homes = $db->getIpPorts();
 	if(!$homes)
@@ -117,6 +117,13 @@ function exec_ogp_module()
 											$remote_servers[$r_server_id]['timeout']);
 			$command = strip_real_escape_string($_POST['command']);
 		}
+
+		if (!checkCronInput($_POST['minute'], $_POST['hour'], $_POST['dayOfTheMonth'], $_POST['month'], $_POST['dayOfTheWeek'])) {
+			print_failure(get_lang('OGP_LANG_bad_inputs'));
+			$view->refresh('?m=cron&p=cron');
+
+			return;
+		}
 		
 		$job = $_POST['minute']." ".
 			   $_POST['hour']." ".
@@ -392,4 +399,4 @@ $(document).ready(function()
 </script>
 <?php
 }
-?>
+?>

modules/cron/shared_cron_functions.php

@@ -249,4 +249,20 @@ function get_remote_server_selector($r_servers, $remote_servers_offline, $remote
 	}
 	return $select_rserver .= "</select>\n";
 }
+
+function checkCronInput($min, $hour, $day, $month, $dayOfWeek) {
+    $blacklist = '"#$%^&()+=[]\';{}|:<>?~';
+    $returns = array();
+    
+    $args = func_get_args();
+    
+    foreach ($args as $k => $arg) {
+        if (empty($arg) || strpbrk($arg, $blacklist) || preg_match('/\\s/', $arg)) {
+            $returns[$k] = false;
+        }
+    }
+    
+    return (empty($returns) ? true : false);
+}
+
 ?>

modules/cron/user_cron.php

@@ -30,7 +30,7 @@ require_once('modules/cron/shared_cron_functions.php');
 
 function exec_ogp_module() 
 {
-	global $db;
+	global $db, $view;
 	$isAdmin = $db->isAdmin($_SESSION['user_id']);
 	$boolShowedAdminLink = false;
 
@@ -119,6 +119,14 @@ function exec_ogp_module()
 					$command = "wget -qO- \"" . $panelURL . "/ogp_api.php?action=autoUpdateSteamHome&homeid=" . $home_id . "&controlpass=" . $control_password . "\" --no-check-certificate > /dev/null 2>&1";
 					break;
 			}
+
+			if (!checkCronInput($_POST['minute'], $_POST['hour'], $_POST['dayOfTheMonth'], $_POST['month'], $_POST['dayOfTheWeek'])) {
+				print_failure(get_lang('OGP_LANG_bad_inputs'));
+				$view->refresh('?m=cron&p=user_cron');
+
+				return;
+			}
+
 			$job = $_POST['minute']." ".
 				   $_POST['hour']." ".
 				   $_POST['dayOfTheMonth']." ".
@@ -303,4 +311,4 @@ $(document).ready(function()
 </script>
 <?php
 }
-?>
+?>