perlweb icon indicating copy to clipboard operation
perlweb copied to clipboard

Published 20 hours ago verified publisher icon perlorg

don't suggest curl | bash

Open rspier opened this issue 7 years ago • 6 comments

http://learn.perl.org/installing/osx.html contains

curl -L http://xrl.us/installperlosx | bash

which is a horrible security anti-pattern.

Yes, it's extremely simple, but we shouldn't be encouraging people to do this without enough warnings to dissuade them. What happens if someone changes where that short link redirects to? What if someone changes the result to do sudo rm -rf /.

rspier avatar Jul 15 '17 22:07 rspier

Well Ask owns xrl.us and I own the GH installperlosx account...

It has also been like this for years

Happy to add copy saying people should check the source first or something - but it's going to take them a while to do so...

Also this doesn't need (indeed should not be) root user doing it... that kind'a being the point... which might be another thing to clarify I guess

On 15 Jul 2017, at 23:17, Robert [email protected] wrote:

http://learn.perl.org/installing/osx.html contains

curl -L http://xrl.us/installperlosx | bash which is a horrible security anti-pattern.

Yes, it's extremely simple, but we shouldn't be encouraging people to do this without enough warnings to dissuade them. What happens if someone changes where that short link redirects to? What if someone changes the result to do sudo rm -rf /.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

ranguard avatar Jul 16 '17 09:07 ranguard

It's less about whether this specific case is good or bad and more about this particular pattern being bad. Ok, it's safe this time. But it might not be next time. What if your github account gets hacked? What if gugod's github ccount gets hacked. Or if they start getting used to this anti-pattern and run it for some other tool?

(Yes, this is nearly exactly as dangerous as downloading any other pre-compiled binary, but for some reason it feels riskier.)

What's wrong with the perl that comes with OSX?

rspier avatar Jul 16 '17 22:07 rspier

Also: since it's http I don't need to own the endpoints to inject bad stuff in the curl response. If it were https, that would be better, but xrl.us doesn't support https (or at least the cert was failing for me today).

VynceMontgomery avatar May 30 '19 18:05 VynceMontgomery

FWIW, I just fixed the cert.

rspier avatar May 31 '19 03:05 rspier

What's wrong with the perl that comes with OSX?

A few things now, apparently: https://rt.cpan.org/Public/Bug/Display.html?id=127028

Grinnz avatar Oct 22 '19 01:10 Grinnz

Either way, curl | bash isn't a terribly safe thing to do.

rspier avatar Oct 22 '19 01:10 rspier