zlacker

[parent] [thread] 2 comments
1. jamesc+(OP)[view] [source] 2018-07-29 02:00:44
This is immune to the attack:

    bash -c "$(curl -sSLf $URL)"
The key is to download first and then run
replies(2): >>bencha+R >>arendt+Pf
2. bencha+R[view] [source] 2018-07-29 02:18:37
>>jamesc+(OP)
Or better yet:

curl $URL

less $FILE

bash $FILE

This attack only works at all if you download something and execute it immediately without looking at it.

3. arendt+Pf[view] [source] 2018-07-29 08:14:04
>>jamesc+(OP)
Do you know if

  . <(curl -sL $url)
works (sourcing from a Process Substitution)?
[go to top]