[Freedom-misc] Don't do curl | bash

jason at bluehome.net jason at bluehome.net
Tue Jul 31 06:03:00 CEST 2018


https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/

"So wouldn't it be great if a malicious payload would only render when piped  
to bash? A few people have tried this before by checking for the curl user  
agent which is by no means fail safe - the user may simply curl the url on  
the commandline revealing your malicious code. Luckily the behaviour of curl  
(and wget) changes subtely when piped into bash. This allows an attacker to  
present two different versions of their script depending on the context..."

Moral of the story: Moral: Don't do curl | bash, even if you've curled (or  
wget it) and read it first. Run the copy you downloaded and reviewed.


More information about the Freedom-misc mailing list