So I was wondering what the flags do too, to check if this is any safer. My curl manual does not say that -f will not output half downloaded files, only that it will fail on HTTP response codes of 400 it greater... Did you test that it does not emit the part that it got on network error?
At least with the $() that timing attack won't work, because you only start executing when curl completes...
tgt
joined 1 year ago
What's that? A connection problem? Ah, it's already running the part that it did get... Oops right on the boundary of rm -rf /thing/that/got/cut/off. I'm angry now. I expected the script maintainer to keep in mind that their script could be cut off at litterally any point... (Now what is that set -e the maintainer keeps yapping about?)
Can you really expect maintainers to keep network error in mind when writing a Bash script?? I'll just download your script first like I would your binary. Opening yourself up to more issues like this is just plain dumb.
See the proof of concept for the pipe detection mentioned elsewhere in the thread https://github.com/Stijn-K/curlbash_detect . For that to work, curl has to send to stdout without having all data yet. Most reasonable scripts won't be large enough, and will probably be buffered in full, though, I guess.
Thanks for the laugh on the package installer, haha.