aviary.sh icon indicating copy to clipboard operation
aviary.sh copied to clipboard

Published 20 hours ago verified publisher icon frameable

Serve https://aviary.sh/install with a text/plain content-type

Open simonw opened this issue 5 years ago • 5 comments

https://aviary.sh/install is currently served with a application/octet-stream content-type:

$ curl -i https://aviary.sh/install
HTTP/1.1 200 OK
Connection: keep-alive
Content-Length: 1266
Server: GitHub.com
Content-Type: application/octet-stream
...

This means that when I visit https://aviary.sh/install in my browser I get a prompt to download the script.

I never like to run curl https://aviary.sh/install | sudo bash without first eye-balling the script I'm about to execute. Serving that script with text/plain would make it much easier to see what it's actually going to do.

simonw avatar Jun 25 '20 19:06 simonw

You might consider running something like this instead to inspect it: curl https://aviary.sh/install | vim - (you don't even have to pipe it to see the output).

FWIW, inspecting scripts like this in your browser vs via curl could produce different results. If the site is acting in a malicious manner the response could be modified when the user agent is curl.

ldavison avatar Jun 25 '20 21:06 ldavison

I can't pipe to vim on my phone. I just want a quick way of inspecting the script.

(Yeah the whole pipe to sudo pattern is pretty dubious from a security point of view, but I see that as a separate issue)

simonw avatar Jun 25 '20 21:06 simonw

We chatted about the | sudo bit before we released this, and it's not a pattern I use (I'll download a script, read it, and browse the sources of a project, especially for something that's running on infrastructure).

I like the intent behind the content type change, but shouldn't folks who use this come on over to the github repo and read the few lines of sources if they are going to use it on their machines?

Is getting to https://github.com/team-video/aviary.sh/blob/master/install too inconvenient from mobile?

dougbrunton avatar Jun 25 '20 21:06 dougbrunton

It wasn't instantly obvious to me that the file served by https://aviary.sh/install is the same as the file in https://github.com/team-video/aviary.sh/blob/master/install

Admittedly, I didn't spend a great deal of time thinking about this. I pasted https://aviary.sh/install into my browser, got a "download this file?" prompt, ran curl 'https://aviary.sh/install' to view it instead and filed an issue complaining about the mild inconvenience caused by the unexpected content-type header.

simonw avatar Jun 26 '20 00:06 simonw

Yes, makes sense. Let's move this to a place where we can set our own Content-Type headers.

dchester avatar Jun 26 '20 03:06 dchester