guacamole-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Jumper <>
Subject Re: '$' chra in password.
Date Tue, 08 Nov 2016 02:14:06 GMT
On Nov 7, 2016 5:59 PM, "Shanon Loughton" <>
> I think I observed something similar when dealing with hard coding the
password in the XML files, both noauth-config.xml and user-mapping.xml and
for RDP connections.
> The work around was to escape the $ character, and possibly other
characters too.
> ie  <param name="password" value="foo\$bar@123" />
> What happens when you escape \$ character entry in the web interface?

Hi Shanon,

It shouldn't be necessary to escape the '$' in either case, unless it is
used in the same format as a parameter token ("${arbitrary text}"), in
which case the escape pattern is to repeat the '$' ("$${arbitrary text}").

Even then, however, it's virtually never required. The substitution will
only occur if the ${...} pattern fully matches (both braces are present,
not just the '$'), *and* the name of the token (the next within the braces)
is the name of a defined token.

In practice, this means that the '$' in a parameter value needs only be
escaped if it is part of the following substrings, and is intended to be
interpreted literally (not automatically substituted at all):


And, as of current git:



For XML, you would of course also need to escape characters which have
special meaning to XML (like '&'), but that is not Guacamole-specific. As
long as your XML is valid, you should be OK.

For the database auth, and for both XML-driven extensions, backslashes in
values have no special meaning will be interpreted as literal backslashes.
In fact, with the exception of parameter tokens, absolutely all characters
are interpreted literally.


- Mike

View raw message