From 095ee50edc61cedc6067406127fc589497b5542b Mon Sep 17 00:00:00 2001
From: Fred Gleason <fredg@paraelsystems.com>
Date: Mon, 17 Jul 2017 12:05:58 -0400
Subject: [PATCH] 2017-07-06 Fred Gleason <fredg@paravelsystems.com> 	*
 Added an 'RDEscapeShellString()' function in 'lib/rdescape_string.h' 	and
 'lib/rdescape_string.cpp'. 	* Fixed a bug in 'lib/rduser.cpp' that caused
 PAM authentication of 	accounts with a password containing one or more '$'
 characters to fail.

---
 ChangeLog               |  5 +++
 lib/rdescape_string.cpp | 83 ++++-------------------------------------
 lib/rdescape_string.h   |  4 +-
 lib/rduser.cpp          |  3 +-
 4 files changed, 16 insertions(+), 79 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 42b0a393..c1289201 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -15891,3 +15891,8 @@
 	* Removed RD_MAX_STATIONS from 'lib/rd.h'.
 2017-07-06 Fred Gleason <fredg@paravelsystems.com>
 	* Incremented the package version to 2.16.0int06.
+2017-07-06 Fred Gleason <fredg@paravelsystems.com>
+	* Added an 'RDEscapeShellString()' function in 'lib/rdescape_string.h'
+	and 'lib/rdescape_string.cpp'.
+	* Fixed a bug in 'lib/rduser.cpp' that caused PAM authentication of
+	accounts with a password containing one or more '$' characters to fail.
diff --git a/lib/rdescape_string.cpp b/lib/rdescape_string.cpp
index c2a1c6f7..9f44fe65 100644
--- a/lib/rdescape_string.cpp
+++ b/lib/rdescape_string.cpp
@@ -2,7 +2,7 @@
 //
 // Escape non-valid characters in a string.
 //
-//   (C) Copyright 2002-2005,2016 Fred Gleason <fredg@paravelsystems.com>
+//   (C) Copyright 2002-2005,2016-2017 Fred Gleason <fredg@paravelsystems.com>
 //
 //   This program is free software; you can redistribute it and/or modify
 //   it under the terms of the GNU General Public License version 2 as
@@ -147,80 +147,11 @@ QString RDEscapeString(QString const &str)
     }
   }
 
-  /*
-  for(unsigned i=0;i<str.length();i++) {
-    switch(((const char *)str)[i]) {
-	case '(':
-	  res+=QString("\\\(");
-	  break;
-
-	case ')':
-	  res+=QString("\\)");
-	  break;
-
-	case '{':
-	  res+=QString("\\\{");
-	  break;
-
-	case '"':
-	  res+=QString("\\\"");
-	  break;
-
-	case '´':
-	  res+=QString("\\´");
-	  break;
-
-	case '`':
-	  res+=QString("\\`");
-	  break;
-
-	case '[':
-	  res+=QString("\\\[");
-	  break;
-
-	case '\'':
-	  res+=QString("\\\'");
-	  break;
-
-	case '\\':
-	  res+=QString("\\");
-	  res+=QString("\\");
-	  break;
-
-	case '?':
-	  res+=QString("\\\?");
-	  break;
-
-	case ' ':
-	  res+=QString("\\ ");
-	  break;
-
-	case '&':
-	  res+=QString("\\&");
-	  break;
-
-        case ';':
-	  res+=QString("\\;");
-	  break;
-
-        case '<':
-	  res+=QString("\\<");
-	  break;
-
-        case '>':
-	  res+=QString("\\>");
-	  break;
-
-        case '|':
-	  res+=QString("\\|");
-	  break;
-
-	default:
-	  res+=((const char *)str)[i];
-	  break;
-    }
-  }
-  */
-
   return res;
 }
+
+
+QString RDEscapeShellString(QString str)
+{
+  return "\""+str.replace("$","\\$")+"\"";
+}
diff --git a/lib/rdescape_string.h b/lib/rdescape_string.h
index 553d84a6..f811b49a 100644
--- a/lib/rdescape_string.h
+++ b/lib/rdescape_string.h
@@ -2,7 +2,7 @@
 //
 // Escape non-valid characters in a string.
 //
-//   (C) Copyright 2002-2005,2016 Fred Gleason <fredg@paravelsystems.com>
+//   (C) Copyright 2002-2005,2016-2017 Fred Gleason <fredg@paravelsystems.com>
 //
 //   This program is free software; you can redistribute it and/or modify
 //   it under the terms of the GNU General Public License version 2 as
@@ -28,7 +28,7 @@ QString RDCheckDateTime(const QTime &time, const QString &format);
 QString RDCheckDateTime(const QDateTime &datetime, const QString &format);
 QString RDCheckDateTime(const QDate &date, const QString &format);
 QString RDEscapeString(const QString &str);
-
+QString RDEscapeShellString(QString str);
 
 
 #endif  // RDESCAPE_STRING_H
diff --git a/lib/rduser.cpp b/lib/rduser.cpp
index 32d331c7..4f049464 100644
--- a/lib/rduser.cpp
+++ b/lib/rduser.cpp
@@ -70,7 +70,8 @@ bool RDUser::authenticated(bool webuser) const
 #ifndef WIN32
   else {
     QString cmd=
-      "rdauth "+pamService()+" \""+user_name+"\" \""+user_password+"\"";
+      "rdauth "+pamService()+" "+RDEscapeShellString(user_name)+" "+
+      RDEscapeShellString(user_password);
     int exitcode=system(cmd);
     return WEXITSTATUS(exitcode)==0;
   }