Fix HUDSON-8172

...passwords should not be expanded as normal script variables are

src/main/java/hudson/plugins/script_realm/LoginScriptLauncher.java

@@ -0,0 +1,67 @@
+/**
+ * 
+ */
+package hudson.plugins.script_realm;
+
+import hudson.EnvVars;
+import hudson.FilePath;
+import hudson.Launcher.LocalLauncher;
+import hudson.Proc;
+import hudson.Util;
+import hudson.model.TaskListener;
+
+import java.io.File;
+import java.io.IOException;
+
+/**
+ * This launcher does not expand the given environment variables - this is
+ * needed, as the password and user should be past to the script as they are
+ * entered in the UI. (e.g. '$$' should not be expanded to '$', but stay as it
+ * is)
+ * 
+ * @author domi
+ * 
+ */
+public class LoginScriptLauncher extends LocalLauncher {
+
+	public LoginScriptLauncher(TaskListener listener) {
+		super(listener);
+	}
+
+	@Override
+	public Proc launch(ProcStarter ps) throws IOException {
+		maskedPrintCommandLine(ps.cmds(), ps.masks(), ps.pwd());
+
+		EnvVars jobEnv = inherit(ps.envs());
+
+		// replace variables in command line
+		String[] jobCmd = new String[ps.cmds().size()];
+		for (int idx = 0; idx < jobCmd.length; idx++) {
+			jobCmd[idx] = jobEnv.expand(ps.cmds().get(idx));
+		}
+
+		return new hudson.Proc.LocalProc(jobCmd, Util.mapToEnv(jobEnv), ps.stdin(), ps.stdout(), ps.stderr(), toFile(ps.pwd()));
+	}
+
+	private File toFile(FilePath f) {
+		return f == null ? null : new File(f.getRemote());
+	}
+
+	/**
+	 * Expands the list of environment variables.
+	 */
+	public static EnvVars inherit(String[] env) {
+		// convert String[] to Map
+		EnvVars m = new EnvVars();
+		if (env != null) {
+			for (String e : env) {
+				int index = e.indexOf('=');
+				m.put(e.substring(0, index), e.substring(index + 1));
+			}
+		}
+		// at this point the original implementation
+		// (hudson.Launcher.LocalLauncher) was expanding the variables.
+		return m;
+	}
+
+}

src/main/java/hudson/plugins/script_realm/ScriptSecurityRealm.java

@@ -79,7 +79,7 @@ public class ScriptSecurityRealm extends AbstractPasswordBasedSecurityRealm {
 	protected UserDetails authenticate(String username, String password) throws AuthenticationException {
 		try {
 			StringWriter out = new StringWriter();
-			LocalLauncher launcher = new LocalLauncher(new StreamTaskListener(out));
+			LocalLauncher launcher = new LoginScriptLauncher(new StreamTaskListener(out));
 			if (launcher.launch().cmds(QuotedStringTokenizer.tokenize(commandLine)).stdout(new NullOutputStream()).envs("U=" + username, "P=" + password)
 					.join() != 0) {
 				throw new BadCredentialsException(out.toString());

src/test/java/hudson/plugins/script_realm/ExpandEnvVarsTest.java

@@ -0,0 +1,17 @@
+package hudson.plugins.script_realm;
+
+import hudson.EnvVars;
+import junit.framework.TestCase;
+
+public class ExpandEnvVarsTest extends TestCase {
+
+	/**
+	 * assert the entered pwd does not get expanded, but stands as it is (does not get changed)
+	 */
+	public void testEnvVars() {
+		String value = "dummy$$pwd";
+		EnvVars m = LoginScriptLauncher.inherit(new String[]{"U=user","P="+value});
+		String expandedValue = m.get("P");
+		assertEquals(value, expandedValue);
+	}
+}

src/test/java/hudson/plugins/script_realm/ScriptSecurityRealmTest.java

@@ -7,16 +7,19 @@ import org.jvnet.hudson.test.HudsonTestCase;
  * @author Kohsuke Kawaguchi
  */
 public class ScriptSecurityRealmTest extends HudsonTestCase {
-    public void test1() {
-        new ScriptSecurityRealm("/bin/true", null, null).authenticate("test","test");
-    }
+	public void test1() {
+		new ScriptSecurityRealm("/bin/true", null, null).authenticate("test",
+				"test");
+	}
+
+	public void test2() {
+		try {
+			new ScriptSecurityRealm("/bin/false", null, null).authenticate(
+					"test", "test");
+			fail();
+		} catch (AuthenticationException e) {
+			// as expected
+		}
+	}
 
-    public void test2() {
-        try {
-            new ScriptSecurityRealm("/bin/false", null, null).authenticate("test","test");
-            fail();
-        } catch (AuthenticationException e) {
-            // as expected
-        }
-    }
 }