pash: Use a heredoc instead of printf

2019-11-30 11:27:03 +00:00 · 2019-11-30 11:27:03 +00:00 · 638a011f2a
parent 7b3be8069c
commit 638a011f2a
1 changed files with 11 additions and 2 deletions
--- a/13
+++ b/13
@ -39,8 +39,17 @@ pw_add() {
    fi

    # Use 'gpg' to store the password in an encrypted file.
-    printf %s "$pass" | "$gpg" "$@" -o "$name.gpg" &&
-        printf '%s\n' "Saved '$name' to the store."
+    # A heredoc is used here instead of a 'printf' to avoid
+    # leaking the password through the '/proc' filesystem.
+    #
+    # Heredocs are sometimes implemented via temporary files,
+    # however this is typically done using 'mkstemp()' which
+    # is more secure than '/proc'.
+    "$gpg" "$@" -o "$name.gpg" <<-EOF
+		$pass
+	EOF
+
+    [ $# = 0 ] && printf '%s\n' "Saved '$name' to the store."
 }

 pw_del() {