admin web: fix a bug and security vulnerability

In the "ops" web page showing results, the credit link was wrong.

The page for grepping logs allowed people to run arbitrary shell commands.
Use escapeshellcmd() to prevent this.

However: the Ops interface lets you type in arbitrary SQL,
which lets bad guys do all sorts of things.
So you need to protect access to Ops very strongly.

TODO: fix all vulnerabilities in ops/.
Get rid of the DB browsing features; use phpmysqladmin.

html/inc/db_ops.inc

@@ -1162,7 +1162,7 @@ function show_result_short($result) {
     $validate_color = validate_color($result->validate_state);
     $host_user = host_user_link($result->hostid);
     $cpu_hours = sprintf("%.1f",$result->cpu_time / 3600);
-    $granted_credit = "<a href=credit.php?resultid=$result->id>".credit_str($result->granted_credit)."</a>";
+    $granted_credit = "<a href=credit.php?wu_id=$result->workunitid>".credit_str($result->granted_credit)."</a>";
     $delete_state = file_delete_state_str($result->file_delete_state);
 
     echo "

html/ops/show_log.php

@@ -28,12 +28,14 @@ if (!$log_dir) {
 }
 
 if( isset($_GET["f"]) ){
-   $f = $_GET["f"];
+    $f = $_GET["f"];
+    $f = escapeshellcmd($f);
 } else {
-   $f = "";
+    $f = "";
 }
 if( isset($_GET["s"]) ){
     $s = $_GET["s"];
+    $s = escapeshellcmd($s);
 } else {
     $s = "";
 }