On 27.08.2007 22:34, Felix Windt wrote:
> system("start putty.exe -X -ssh -pw #{ARGV[0]} myuserid@myhostname")

never trust parameters or their encoding, or you beg for privilege
escalation problems. The given command will perform both shell
expansion (consider a password like "%PATH%") and parameter
separation (consider a password like "pw; rm -rf /*").

It's much wiser to disallow expansion:

system("start","putty.exe","-X","-ssh","-pw",ARGV[0],"myuserid@myhostname")


- Matthias