Prevent command injection attacks via the cputime parameter. Fixes

issue #39 (#39).
Thanks Marlon (myxxl).

application/libraries/LanguageTask.php

@@ -324,17 +324,25 @@ public function run_in_sandbox($wrappedCmd, $iscompile=true, $stdin=null) {
 
     /*
      * Get the value of the job parameter $key, which is taken from the
-     * value copied into $this from the run request if present of from the
+     * value copied into $this from the run request if present or from the
      * system defaults otherwise.
+     * If a non-numeric value is provided for a parameter that has a numeric
+     * default, the default is used instead. This prevents command injection
+     * as per issue #39 (https://github.com/trampgeek/jobe/issues/39). Thanks
+     * Marlon (myxl).
      * If $iscompile is true and the parameter value is less than that specified
      * in $min_params_compile (except if it's 0 meaning no limit), the minimum
      * value is used instead.
      */
     protected function getParam($key, $iscompile=false) {
+        $default = $this->default_params[$key];
         if (isset($this->params) && array_key_exists($key, $this->params)) {
             $param = $this->params[$key];
+            if (is_numeric($default) && !is_numeric($param)) {
+                $param = $default; // Prevent command injection attacks.
+            }
         } else {
-            $param = $this->default_params[$key];
+            $param = $default;
         }
         // ** BUG ** The min_params_compile value is being applied even if
         // this is not a compile. I'm reluctant to fix, however, as it may
@@ -347,6 +355,7 @@ protected function getParam($key, $iscompile=false) {
     }
 
 
+
     // Check if PHP exec environment includes a PATH. If not, set up a
     // default, or gcc misbehaves. [Thanks to Binoj D for this bug fix,
     // needed on his CentOS system.]