2017-07-06 Fred Gleason <fredg@paravelsystems.com>

* Added an 'RDEscapeShellString()' function in 'lib/rdescape_string.h'
	and 'lib/rdescape_string.cpp'.
	* Fixed a bug in 'lib/rduser.cpp' that caused PAM authentication of
	accounts with a password containing one or more '$' characters to fail.

ChangeLog

@@ -15891,3 +15891,8 @@
 	* Removed RD_MAX_STATIONS from 'lib/rd.h'.
 2017-07-06 Fred Gleason <fredg@paravelsystems.com>
 	* Incremented the package version to 2.16.0int06.
+2017-07-06 Fred Gleason <fredg@paravelsystems.com>
+	* Added an 'RDEscapeShellString()' function in 'lib/rdescape_string.h'
+	and 'lib/rdescape_string.cpp'.
+	* Fixed a bug in 'lib/rduser.cpp' that caused PAM authentication of
+	accounts with a password containing one or more '$' characters to fail.

lib/rdescape_string.cpp

@@ -2,7 +2,7 @@
 //
 // Escape non-valid characters in a string.
 //
-//   (C) Copyright 2002-2005,2016 Fred Gleason <fredg@paravelsystems.com>
+//   (C) Copyright 2002-2005,2016-2017 Fred Gleason <fredg@paravelsystems.com>
 //
 //   This program is free software; you can redistribute it and/or modify
 //   it under the terms of the GNU General Public License version 2 as
@@ -147,80 +147,11 @@ QString RDEscapeString(QString const &str)
     }
   }
 
-  /*
-  for(unsigned i=0;i<str.length();i++) {
-    switch(((const char *)str)[i]) {
-	case '(':
-	  res+=QString("\\\(");
-	  break;
-
-	case ')':
-	  res+=QString("\\)");
-	  break;
-
-	case '{':
-	  res+=QString("\\\{");
-	  break;
-
-	case '"':
-	  res+=QString("\\\"");
-	  break;
-
-	case '´':
-	  res+=QString("\\´");
-	  break;
-
-	case '`':
-	  res+=QString("\\`");
-	  break;
-
-	case '[':
-	  res+=QString("\\\[");
-	  break;
-
-	case '\'':
-	  res+=QString("\\\'");
-	  break;
-
-	case '\\':
-	  res+=QString("\\");
-	  res+=QString("\\");
-	  break;
-
-	case '?':
-	  res+=QString("\\\?");
-	  break;
-
-	case ' ':
-	  res+=QString("\\ ");
-	  break;
-
-	case '&':
-	  res+=QString("\\&");
-	  break;
-
-        case ';':
-	  res+=QString("\\;");
-	  break;
-
-        case '<':
-	  res+=QString("\\<");
-	  break;
-
-        case '>':
-	  res+=QString("\\>");
-	  break;
-
-        case '|':
-	  res+=QString("\\|");
-	  break;
-
-	default:
-	  res+=((const char *)str)[i];
-	  break;
-    }
-  }
-  */
-
   return res;
 }
+
+
+QString RDEscapeShellString(QString str)
+{
+  return "\""+str.replace("$","\\$")+"\"";
+}

lib/rdescape_string.h

@@ -2,7 +2,7 @@
 //
 // Escape non-valid characters in a string.
 //
-//   (C) Copyright 2002-2005,2016 Fred Gleason <fredg@paravelsystems.com>
+//   (C) Copyright 2002-2005,2016-2017 Fred Gleason <fredg@paravelsystems.com>
 //
 //   This program is free software; you can redistribute it and/or modify
 //   it under the terms of the GNU General Public License version 2 as
@@ -28,7 +28,7 @@ QString RDCheckDateTime(const QTime &time, const QString &format);
 QString RDCheckDateTime(const QDateTime &datetime, const QString &format);
 QString RDCheckDateTime(const QDate &date, const QString &format);
 QString RDEscapeString(const QString &str);
-
+QString RDEscapeShellString(QString str);
 
 
 #endif  // RDESCAPE_STRING_H

lib/rduser.cpp

@@ -70,7 +70,8 @@ bool RDUser::authenticated(bool webuser) const
 #ifndef WIN32
   else {
     QString cmd=
-      "rdauth "+pamService()+" \""+user_name+"\" \""+user_password+"\"";
+      "rdauth "+pamService()+" "+RDEscapeShellString(user_name)+" "+
+      RDEscapeShellString(user_password);
     int exitcode=system(cmd);
     return WEXITSTATUS(exitcode)==0;
   }