On 27.08.2007 23:35, Felix Windt wrote:
>> On 27.08.2007 22:34, Felix Windt wrote:
>>> system("start putty.exe -X -ssh -pw #{ARGV[0]} myuserid@myhostname")
>> never trust parameters or their encoding, or you beg for privilege
>> escalation problems. The given command will perform both shell
>> expansion (consider a password like "%PATH%") and parameter
>> separation (consider a password like "pw; rm -rf /*").
> 
> It's generally a very bad idea to give a password on the command line. I'm
> not sure if Windows keeps a command line history, but all it would take is
> for the DOS Prompt to still be open, and for someone to arrow up.

Sure, but the problem is not limited to passwords. Any input you
cannot control or carefully check is bad if it is used in shell
expansion like the above. So better not start with it at the first
place, neither for passwords, nor for something like username@host
or other thought-to-be-friendly parameters.

- Matthias