From 638a011f2a58a64b10ae932e57e0ae62ce765524 Mon Sep 17 00:00:00 2001
From: Dylan Araps <dylan.araps@gmail.com>
Date: Sat, 30 Nov 2019 11:27:03 +0000
Subject: [PATCH] pash: Use a heredoc instead of printf

---
 pash | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/pash b/pash
index 0cad611..0a7b926 100755
--- a/pash
+++ b/pash
@@ -39,8 +39,17 @@ pw_add() {
     fi
 
     # Use 'gpg' to store the password in an encrypted file.
-    printf %s "$pass" | "$gpg" "$@" -o "$name.gpg" &&
-        printf '%s\n' "Saved '$name' to the store."
+    # A heredoc is used here instead of a 'printf' to avoid
+    # leaking the password through the '/proc' filesystem.
+    #
+    # Heredocs are sometimes implemented via temporary files,
+    # however this is typically done using 'mkstemp()' which
+    # is more secure than '/proc'.
+    "$gpg" "$@" -o "$name.gpg" <<-EOF
+		$pass
+	EOF
+
+    [ $# = 0 ] && printf '%s\n' "Saved '$name' to the store."
 }
 
 pw_del() {