Fix Remote Arbitrary Command Execution

Anything can be passed to the time fields, which in turn is passed to
the agent and inserted into the cron file... and then executed.

This will fix that.

lang/English/modules/cron.php

@@ -44,4 +44,5 @@ define('OGP_LANG_refresh_interval', "Refresh Interval");
 define('OGP_LANG_cron_no_servers_tied_to_account', "There are no game servers directly assigned to your account.");
 define('OGP_LANG_cron_admin_link_display_text', "Cron Administration (All Servers)");
 define('OGP_LANG_cron_admin_no_ogp_servers_to_display', "There aren't any game servers currently configured in OGP.");
-?>
+define('OGP_LANG_bad_inputs', "Scheduled time contains invalid characters.");
+?>

modules/cron/cron.php

@@ -30,7 +30,7 @@ require_once('modules/cron/shared_cron_functions.php');
 
 function exec_ogp_module() 
 {
-	global $db;
+	global $db, $view;
 	$r_servers = $db->getRemoteServers();
 	$homes = $db->getIpPorts();
 	if(!$homes)
@@ -117,6 +117,13 @@ function exec_ogp_module()
 											$remote_servers[$r_server_id]['timeout']);
 			$command = strip_real_escape_string($_POST['command']);
 		}
+
+		if (!checkCronInput($_POST['minute'], $_POST['hour'], $_POST['dayOfTheMonth'], $_POST['month'], $_POST['dayOfTheWeek'])) {
+			print_failure(get_lang('OGP_LANG_bad_inputs'));
+			$view->refresh('?m=cron&p=cron');
+
+			return;
+		}
 		
 		$job = $_POST['minute']." ".
 			   $_POST['hour']." ".
@@ -392,4 +399,4 @@ $(document).ready(function()
 </script>
 <?php
 }
-?>
+?>

modules/cron/shared_cron_functions.php

@@ -249,4 +249,20 @@ function get_remote_server_selector($r_servers, $remote_servers_offline, $remote
 	}
 	return $select_rserver .= "</select>\n";
 }
-?>
+
+function checkCronInput($min, $hour, $day, $month, $dayOfWeek) {
+    $blacklist = '"#$%^&()+=[]\';{}|:<>?~';
+    $returns = array();
+    
+    $args = func_get_args();
+    
+    foreach ($args as $k => $arg) {
+        if (empty($arg) || strpbrk($arg, $blacklist)) {
+            $returns[$k] = false;
+        }
+    }
+    
+    return (empty($returns) ? true : false);
+}
+
+?>

modules/cron/user_cron.php

@@ -30,7 +30,7 @@ require_once('modules/cron/shared_cron_functions.php');
 
 function exec_ogp_module() 
 {
-	global $db;
+	global $db, $view;
 	$isAdmin = $db->isAdmin($_SESSION['user_id']);
 	$boolShowedAdminLink = false;
 
@@ -119,6 +119,14 @@ function exec_ogp_module()
 					$command = "wget -qO- \"" . $panelURL . "/ogp_api.php?action=autoUpdateSteamHome&homeid=" . $home_id . "&controlpass=" . $control_password . "\" --no-check-certificate > /dev/null 2>&1";
 					break;
 			}
+
+			if (!checkCronInput($_POST['minute'], $_POST['hour'], $_POST['dayOfTheMonth'], $_POST['month'], $_POST['dayOfTheWeek'])) {
+				print_failure(get_lang('OGP_LANG_bad_inputs'));
+				$view->refresh('?m=cron&p=user_cron');
+
+				return;
+			}
+
 			$job = $_POST['minute']." ".
 				   $_POST['hour']." ".
 				   $_POST['dayOfTheMonth']." ".
@@ -303,4 +311,4 @@ $(document).ready(function()
 </script>
 <?php
 }
-?>
+?>