From 88ab77fc85ec0d06dbb9fda72da7daae88a45704 Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Fri, 19 Nov 2021 19:58:19 +0100
Subject: [PATCH] Cron - shell escape parameters using shlex functions

---
 src/opnsense/service/templates/OPNsense/Cron/user.cron | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/opnsense/service/templates/OPNsense/Cron/user.cron b/src/opnsense/service/templates/OPNsense/Cron/user.cron
index 65487a0f6..42247084c 100644
--- a/src/opnsense/service/templates/OPNsense/Cron/user.cron
+++ b/src/opnsense/service/templates/OPNsense/Cron/user.cron
@@ -10,7 +10,11 @@ PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
 {%  for job in helpers.toList('OPNsense.cron.jobs.job') %}
 {%   if job.enabled|default('0') == '1' %}
 # Origin/Description: {{job.origin}}/{{job.description}}
-{{job.minutes}}	{{job.hours}}	{{job.days}}	{{job.months}}	{{job.weekdays}}	/usr/local/sbin/configctl -d {{job.command}} {{job.parameters}}
+{{job.minutes}}	{{job.hours}}	{{job.days}}	{{job.months}}	{{job.weekdays}}	/usr/local/sbin/configctl -d {{job.command}} {%
+   if job.parameters %} {%
+      for param in job.parameters|shlex_split %} {{param|shlex_quote}}{%
+      endfor %}
+   {% endif %}
 {%   endif %}
 {%  endfor %}
 {% endif %}