From de6760a9a25bf4a24914c2cc0290cd81c71de58b Mon Sep 17 00:00:00 2001
From: Jerome Despatis <jerome@despatis.com>
Date: Fri, 2 Dec 2011 15:49:27 +0100
Subject: [PATCH] Protection against too long command to avoid bad code
 injection on shell

---
 classes/ezscheduledscript.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/classes/ezscheduledscript.php b/classes/ezscheduledscript.php
index 4f7117f..253374e 100644
--- a/classes/ezscheduledscript.php
+++ b/classes/ezscheduledscript.php
@@ -50,6 +50,9 @@ static function create( $name, $command, $userID = false )
             return false;
         }
 
+        $name = trim( $name );
+        $command = trim( $command );
+
         if ( !$userID )
         {
             $userID = eZUser::currentUserID();
@@ -60,6 +63,12 @@ static function create( $name, $command, $userID = false )
         $command = str_replace( self::SCRIPT_NAME_STRING, $name, $command );
         $command = str_replace( self::SITE_ACCESS_STRING, $scriptSiteAccess, $command );
 
+        if ( strlen( $command ) > 2000 )
+        {
+            eZDebug::writeError( 'Your command string is too long, it must be less than 2000 characters.', 'ezscriptmonitor' );
+            return false;
+        }
+
         // Negative progress means not started yet
         return new self( array( 'name' => $name,
                                 'command' => $command,