Untaint results from escapeshellarg.

db/User.pm.in

@@ -1466,7 +1466,8 @@ sub escapeshellarg($)
     my ($str) = @_;
 
     $str =~ s/[^[:alnum:]]/\\$&/g;
-    return $str;
+    $str =~ /^(.+)$/; # untaint the result
+    return $1;
 }
 
 # _Always_ make sure that this 1 is at the end of the file...