[tekromancr]

What security implications does running curl have that wouldn't be present in a browser?

[feanaro]

There have been instances of terminal vulnerabilities via terminal escape codes, as bad as an RCE in iterm2: https://blog.mozilla.org/security/2019/10/09/iterm2-critical.... I suppose the OP is thinking of something like that.

[tekromancr]

Yea, I was wondering about that; but the risk feels similar to a browser RCE to me. Maybe it's higher because browsers are more widely used/analyzed; but then again, a browser RCE has a much wider range of targets with more opportunities to exploit

[dundarious]

Even just having the potential for the terminal to interpret escape codes is frustrating. Always pipe remote output to `less` or `less -R` (not `less -r`).

[laumars]

And this is exactly why I’m always playing the damp squid when people advocate for more features being supported via shell escape codes.

[artursapek]

I’m wondering the same. You’re not piping them into a shell.