[slau]

Not really the same. One of the main issues with curl pipes is that the server (or MITM) can detect that the request goes into a pipe.

This allows an attacker to display one (safe) source when you view it in your browser on your workstation, or wget it, and serve a different (nefarious) source when you curl/pipe it.

So, a more complete analogy would be: a bottle that gives you a safe chemical compound when you extract it for analysis, but throws in some VX when you go to administer it.

[tpxl]

How can you detect if the output is curl/piped?

[nemo1618]

Like so: https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

To combat this sort of thing, @jbenet made hashpipe: https://jbenet.github.io/hashpipe

[scbrg]

https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-b...

Summary: Fill your script with an invisible payload that fills any buffers, and put something time consuming (say `sleep 5`) early in your script in order to detect that the script is being executed directly rather than just stored to disk. If the client halts before having read all data, it is likely a `curl | bash` scenario. If it just keeps reading, it's a regular browser just downloading.

[Achshar]

I would hazard a guess that curl won't send the standard request headers that browsers would.