Matthias Wächter
8/27/2007 9:26:00 PM
On 27.08.2007 22:34, Felix Windt wrote:
> system("start putty.exe -X -ssh -pw #{ARGV[0]} myuserid@myhostname")
never trust parameters or their encoding, or you beg for privilege
escalation problems. The given command will perform both shell
expansion (consider a password like "%PATH%") and parameter
separation (consider a password like "pw; rm -rf /*").
It's much wiser to disallow expansion:
system("start","putty.exe","-X","-ssh","-pw",ARGV[0],"myuserid@myhostname")
- Matthias