zlacker

[return to "Detecting the use of "curl | bash" server-side"]
1. dev_du+H9[view] [source] 2018-07-29 05:16:26
>>rubyn0+(OP)
The obsession against shell pipes is so absolutely absurd. You’d download a dmg and drag it to your apps but not shell pipe? You’ll sudo dpkg -i but not a shell pipe?

Can anyone point to a single case of a shell pipe ever being abused ever?

◧◩
2. eboyjr+Oa[view] [source] 2018-07-29 05:41:00
>>dev_du+H9
I'd like to point out that the author is not directly discrediting shell pipes.

> a knowledgable user will most likely check the content first

The obvious workaround would be to download with curl, inspect, then run the virtually same inspected file through bash. This workflow is easier without necessarily using pipes. Package files can also be inspected before running and are not directly inspected in the browser.

Trust on the other hand is more complicated. Without doing tedious manual inspecting, you have to rely on the distributor. In this case, public keys aid in this regard, but also does not work with the `curl | bash` workflow.

[go to top]