Use escaped cron paths and refine renewal wording

Agent-Logs-Url: https://github.com/8bitDream/AmiiboAPI/sessions/0306bdf9-88cc-41dd-8bde-09039539f355

Co-authored-by: AbandonedCart <1173913+AbandonedCart@users.noreply.github.com>

Author: Copilot

README.md

@@ -53,7 +53,7 @@ This script:
 - Copies `fullchain.pem` and `privkey.pem` from `/etc/letsencrypt/live/amiiboapi.org/` into the project root
 - Sets file permissions to read/write for owner+group (`660`) on both certificate files
 - Installs `/etc/cron.d/amiiboapi-certbot` to run renewal checks twice daily
-- `certbot renew` renews certificates (90-day validity) when they have 30 days or less remaining
+- `certbot renew` attempts renewal for certificates with 30 days or less remaining (90-day validity period)
 
 > [!IMPORTANT]
 > `certbot --standalone` needs port `80` available. Stop any process using port `80` before running issuance if needed.

scripts/certbot_certificate.sh

@@ -71,13 +71,15 @@ renew_certificate() {
 }
 
 install_renewal_schedule() {
-  local cron_cmd cron_line
-  if [[ ! "$SCRIPT_PATH" =~ ^[A-Za-z0-9._/-]+$ || ! "$LOG_FILE" =~ ^[A-Za-z0-9._/-]+$ ]]; then
-    echo "SCRIPT_PATH and LOG_FILE contain unsupported characters for cron setup." >&2
+  local quoted_script_path quoted_log_file cron_cmd cron_line
+  if [[ "$SCRIPT_PATH" != /* || "$LOG_FILE" != /* || "$SCRIPT_PATH" == *$'\n'* || "$LOG_FILE" == *$'\n'* ]]; then
+    echo "SCRIPT_PATH and LOG_FILE must be absolute single-line paths for cron setup." >&2
     exit 1
   fi
 
-  cron_cmd="/bin/bash \"$SCRIPT_PATH\" renew >> \"$LOG_FILE\" 2>&1"
+  printf -v quoted_script_path '%q' "$SCRIPT_PATH"
+  printf -v quoted_log_file '%q' "$LOG_FILE"
+  cron_cmd="/bin/bash $quoted_script_path renew >> $quoted_log_file 2>&1"
   cron_line="0 3,15 * * * root $cron_cmd"
 
   run_as_root touch "$LOG_FILE"