Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If curl loses connection to the source website while downloading the script, then partially downloaded script will be executed, no matter what. This is a main drawback of curl-to-shell piping approach, and the original article is missing it entirely.


A common solution is to wrap all code within a function. This way nothing gets executed until the last line, the one that calls the function, is executed.

  function main () {
     # all code goes here
  }
  main


Common, but not universal. If I pipe a response body into a shell, I don't get to check whether they were careful or not.


No. It's addressed in the second last bullet, Partial content


Yeah "it will happen anyway" misses the point that curl will notify you of the failed download before you run it, whereas piping it to sh will immediately run it


Is that really much of a problem? I can't remember the last time I had a download fail part the way through and they are usually much bigger than a bootstrapping script.


I mean it's unlikely but imagine it did happen and something in the script like "rm -rf /some/path" gets truncated to "rm -rf /" & immediately run

Even if your connection is TLS secured an MITM attack of causing a connection reset after X bytes could be a viable attack


As was pointed out both in the article and the comments here, this is easily addressed by wrapping everything in a function (or subshell, for that matter).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: