id,summary,reporter,owner,description,type,status,priority,milestone,component,version,severity,resolution,keywords,cc,mlocked 3892,Shell escape userid/password for Schedules Direct,sphery ,Isaac Richards,"The attached patch shell escapes the userid and password for Schedules Direct accounts to allow the use of the single quote character. Though it's unlikely that a single quote exists in a valid userid, shell escaping the userid will allow the user to see a useful error in the log rather than simply seeing sh complain about a missing single quote. After this patch, the mythfilldatabase code can handle any special characters that SD can handle. This does also have a small security benefit, especially for those running the backend as root. In order to use the exploit, though, an attacker would need other access to the system. So, the security side side of the fix is probably less important than the usability/good error message side of it. This should probably also be applied to -fixes. Thanks to xris for teaching me how to properly shell escape a single quote.",patch,closed,minor,unknown,mythtv,head,medium,fixed,,,0