alt Hacker NewsWow, the rare
bash <(curl foo.sh)
curl foo.sh | bash
# Gives you a copy of the file, but still streams to bash
curl foo.sh | tee /tmp/foo.sh | bash
# No copy of file but ensures stream finishes then bash runs
bash -c "$(curl foo.sh)"
# Best: Gives copy of file and ensures stream finishes
curl foo.sh -o /tmp/foo.sh && bash $_
Replies
0xbadcafebee • yesterday at 3:10 AM
t=$(mktemp) && [ -w $t ] && curl foo.sh -o $t && echo "$t lksjdfkljshdkfljhdsklfjhslkdjfhsdlkjfhslkdjhf" | sha256sum -c - && bash $t
wakawaka28 • last Saturday at 11:54 PM
If you want to be super pedantic, try to make the command shell-agnostic in case the user is not running bash already.
> Equivalent but just as unsafe.
To my understanding, the main difference between "curl directly to bash" and "curl to a temp file, then execute the temp file" is "the attacker could inject additional malicious commands when curl'd directly to bash".
If you're not going to then also read all the source code from the download script (& the source code used to produce the binaries), this suggests the attitude of "I mistrust anything I can't read; but will trust anything I could read (without having to read it)".
It seems more likely that malicious code would be in a precompiled binary, compared to malicious commands injected into "curl to bash". -- Though, if there have ever been any observed cases of a server injecting commands from "curl ... | tee foo | bash", I'd be curious to know about these.