From fb74c1e55ce0da2be81afc5470a3ee376d3fa165 Mon Sep 17 00:00:00 2001
From: FusionPBX <markjcrane@gmail.com>
Date: Thu, 15 Aug 2019 03:33:21 -0600
Subject: [PATCH] Update cmd.php

---
 app/call_centers/cmd.php | 82 ++++++++++++++++++++++++++--------------
 1 file changed, 53 insertions(+), 29 deletions(-)

diff --git a/app/call_centers/cmd.php b/app/call_centers/cmd.php
index d277bd8114..3ba5c52541 100644
--- a/app/call_centers/cmd.php
+++ b/app/call_centers/cmd.php
@@ -17,42 +17,66 @@
 
 	The Initial Developer of the Original Code is
 	Mark J Crane <markjcrane@fusionpbx.com>
-	Portions created by the Initial Developer are Copyright (C) 2008-2012
+	Portions created by the Initial Developer are Copyright (C) 2008-2019
 	the Initial Developer. All Rights Reserved.
 
 	Contributor(s):
 	Mark J Crane <markjcrane@fusionpbx.com>
 */
-include "root.php";
-require_once "resources/require.php";
-require_once "resources/check_auth.php";
-if (permission_exists('call_center_queue_add') || permission_exists('call_center_queue_edit')) {
-	//access granted
-}
-else {
-	echo "access denied";
-	exit;
-}
 
-$cmd = $_GET['cmd'];
-$rdr = $_GET['rdr'];
+//includes
+	include "root.php";
+	require_once "resources/require.php";
+	require_once "resources/check_auth.php";
+
+//check permissions
+	if (permission_exists('call_center_queue_add') || permission_exists('call_center_queue_edit')) {
+		//access granted
+	}
+	else {
+		echo "access denied";
+		exit;
+	}
+
+//get the variables
+	$cmd = $_GET['cmd'];
+	$queue = $_GET['queue'];
+
+//validate the variables
+	switch ($cmd) {
+		case "load":
+			//allow the command
+			break;
+		case "unload":
+			//allow the command
+			break;
+		case "reload":
+			//allow the command
+			break;
+		default:
+			unset($cmd);
+	}
+
+//only allow a uuid for the queue name
+	if (!is_uuid($queue)) {
+		unset($queue);
+	}
 
 //connect to event socket
-$fp = event_socket_create($_SESSION['event_socket_ip_address'], $_SESSION['event_socket_port'], $_SESSION['event_socket_password']);
-if ($fp) {
-	$response = event_socket_request($fp, 'api reloadxml');
-	$response = event_socket_request($fp, $cmd);
-	fclose($fp);
-}
-else {
-	$response = '';
-}
-if ($rdr == "false") {
-	//redirect false
-	echo $response;
-}
-else {
+	$fp = event_socket_create($_SESSION['event_socket_ip_address'], $_SESSION['event_socket_port'], $_SESSION['event_socket_password']);
+	if ($fp) {
+		$response = event_socket_request($fp, 'api reloadxml');
+		if (isset($cmd) && isset($queue)) {
+			$response = event_socket_request($fp, 'api callcenter_config queue '.$cmd. ' '.$queue);
+		}
+		fclose($fp);
+	}
+	else {
+		$response = '';
+	}
+
+//send the redirect
 	$_SESSION["message"] = $response;
 	header("Location: call_center_queues.php?savemsg=".urlencode($response));
-}
-?>
\ No newline at end of file
+
+?>