Merge branch '6822-extend-server-side-cron-checks' into 'develop'

Resolve "Extend server-side cron checks"

Closes #6822

See merge request ispconfig/ispconfig3!1975

Author: Till Brehm

interface/lib/classes/validate_cron.inc.php

@@ -53,6 +53,10 @@ function command_format($field_name, $field_value, $validator) {
 			if($parsed["scheme"] != "http" && $parsed["scheme"] != "https") return $this->get_error($validator['errmsg']);
 
 			if(preg_match("'^([a-z0-9][a-z0-9_\-]{0,62}\.)+([A-Za-z0-9\-]{2,63})$'i", $parsed["host"]) == false) return $this->get_error($validator['errmsg']);
+
+			if(strpos($field_value, '\\') !== false) {
+				return $this->get_error($validator['errmsg']);
+			}
 		}
 		if(strpos($field_value, "\n") !== false || strpos($field_value, "\r") !== false || strpos($field_value, chr(0)) !== false) {
 			return $this->get_error($validator['errmsg']);

server/plugins-available/cron_jailkit_plugin.inc.php

@@ -121,7 +121,7 @@ function insert($event_name, $data) {
 
 				$this->_add_jailkit_user();
 
-				$command .= 'usermod -U ? 2>/dev/null';
+				$command = 'usermod -U ? 2>/dev/null';
 				$app->system->exec_safe($command, $parent_domain["system_user"]);
 
 				$this->_update_website_security_level();

server/plugins-available/cron_plugin.inc.php

@@ -219,6 +219,12 @@ function _write_crontab() {
 		$cmd_count = 0;
 		$chr_cmd_count = 0;
 
+		// Check if parentDomain array is empty
+		if(!is_array($this->parent_domain) || count($this->parent_domain) == 0) {
+			$app->log("Parent domain not found", LOGLEVEL_WARN);
+			return 0;
+		}
+
 		//* read all active cron jobs from database and write them to file
 		$cron_jobs = $app->db->queryAllRecords("SELECT c.`run_min`, c.`run_hour`, c.`run_mday`, c.`run_month`, c.`run_wday`, c.`command`, c.`type`, c.`log`, `web_domain`.`domain` as `domain` FROM `cron` as c INNER JOIN `web_domain` ON `web_domain`.`domain_id` = c.`parent_domain_id` WHERE c.`parent_domain_id` = ? AND c.`active` = 'y'", $this->parent_domain["domain_id"]);
 		if($cron_jobs && count($cron_jobs) > 0) {
@@ -240,15 +246,21 @@ function _write_crontab() {
 					$log_wget_target = $log_root . '/cron_wget.log';
 				}
 
+				// Check if command contains invalid chars
+				if(strpos($job['command'], "\n") !== false || strpos($job['command'], "\r") !== false || strpos($job['command'], chr(0)) !== false) {
+					$app->log("Insecure Cron job SKIPPED: " . $job['command'], LOGLEVEL_WARN);
+					continue;
+				}
+
 				$cron_line .= "\t{$this->parent_domain['system_user']}"; //* running as user
 				if($job['type'] == 'url') {
-					$cron_line .= "\t{$cron_config['wget']} --no-check-certificate --user-agent='Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0' -q -t 1 -T 7200 -O " . $log_wget_target . " " . escapeshellarg($job['command']) . " " . $log_target;
-				} else {
-					if(strpos($job['command'], "\n") !== false || strpos($job['command'], "\r") !== false || strpos($job['command'], chr(0)) !== false) {
+					// Check that command does not contain a backslash
+					if (strpos($job['command'], '\\') !== false) {
 						$app->log("Insecure Cron job SKIPPED: " . $job['command'], LOGLEVEL_WARN);
 						continue;
 					}
-
+					$cron_line .= "\t{$cron_config['wget']} --no-check-certificate --user-agent='Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0' -q -t 1 -T 7200 -O " . $log_wget_target . " " . escapeshellarg($job['command']) . " " . $log_target;
+				} else {
 					$web_root = '';
 					if($job['type'] == 'chrooted') {
 						if(substr($job['command'], 0, strlen($this->parent_domain['document_root'])) == $this->parent_domain['document_root']) {