This is immune to the attack: bash -c "$(curl -sSLf $URL)" The key is to downloa... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

jamescostian on July 29, 2018 | parent | context | favorite | on: Detecting the use of "curl | bash" server-side

This is immune to the attack:

    bash -c "$(curl -sSLf $URL)"

The key is to download first and then run

benchaney on July 29, 2018 | [–]

Or better yet:

curl $URL

less $FILE

bash $FILE

This attack only works at all if you download something and execute it immediately without looking at it.

arendtio on July 29, 2018 | [–]

Do you know if

  . <(curl -sL $url)

works (sourcing from a Process Substitution)?

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact