undefined | Better HN

0 pointsantx4y ago0 comments

The most probable issue related to this kind of behaviour is pastejacking.

It's possible for the server to detect that you're actually using curl (with the help of the user agent of other methods) and also that you're piping it to an interpreter.

Knowing that, the server could send you a malicious payload, that wouldn't be apparent when only downloading the file otherwise.

Some people think this isn't the real issue, that (the lack of) code signing is the real problem. I don't disagree with that, but really, people should look at the code they're going to execute, whenever possible.

And when I say "whenever possible", I sure believe a few lines of shell script deserves to be inspected. Even if you lose the 0.5 seconds of automation the pipe provided. I mean, we're not talking about millions of lines of kernel code, here.

0 comments

2 comments · 1 top-level

turboponyy4y ago· 1 in thread

How can the server tell whether you're just curling or curling and piping that output to an interpreter?

franga20004y ago

Weird timing magic, if I recally correctly: https://news.ycombinator.com/item?id=17636032

j / k navigate · click thread line to collapse