Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
duaneb
on Nov 30, 2016
|
parent
|
context
|
favorite
| on:
Show HN: Anycomplete
Yup! Using curl at all is downright dangerous.
/s
cyphar
on Nov 30, 2016
[–]
Well, it's all about risk assessment. Curl has had RCE security bugs before[1]. That doesn't mean curl is "downright dangerous" it just means that "it's safe because it doesn't pipe to sh" is also not a correct thing to say.
[1]:
http://blog.volema.com/curl-rce.html
verandaguy
on Nov 30, 2016
|
parent
|
next
[–]
Incidentally, cURL just had a major security audit. The dev is doing due diligence to avoid RCE vulnerabilities.
duaneb
on Nov 30, 2016
|
parent
|
prev
[–]
Piping to jq and sed is just fine. I'm not sure where sh comes into this...
cyphar
on Dec 1, 2016
|
root
|
parent
[–]
Unless there's a bug in curl, jq or sed that leads to an RCE, which is what my point was.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
/s