From: Eric Wong <normalperson@...>
Date: 2011-12-11T07:20:42+09:00
Subject: [ruby-core:41588] Re: [ruby-trunk - Feature #5741][Open] Secure Erasure of Passwords

Eric Wong <normalperson@yhbt.net> wrote:
> You can use IO#read / StringIO#read to overwrite an existing String:

String#tr! (on binary strings) can also work:

--------------------------------------
# -*- encoding: binary -*-
pass = ""
$stdin.sysread(256, pass)
pass.tr!("\0-\xff", "\0")
p pass
Process.kill(:ABRT, $$)
sleep

Maybe String#gsub! would, too, but regexp engines are quite complex and
may do buffering/copying of its own (I don't know regexp implementation
details well).  tr/tr! is pretty simple...

I'd still trust IO#sysread the most since passing a String buffer to it
is for optimization.  It would be stupid (and thus highly unlikely :)
that any Ruby implementation would copy/free() a buffer passed for IO
and replace it with another buffer internally.