| (reply to sibling comment from unixbane which is [dead] for some reason:) > tell me the specific way you check your stuff before pasting so I can tell you how it's either broken or you're the 0.001% user and nobody else does that. I'm no 0.001% user, I'm not a shell expert and I can't catch everything but in the context of this particular post: - I know how string quoting in programming languages broadly works (no need to know if ' or " escapes or not - just know that if there's any quotes inside the string it deserves a closer look) - I know that $ in bash (& some other languages) precedes something dynamic (maybe variable substitution, maybe inline code, no need to know about stuff in any detail, just enough to be suspicious) - I know pipe chars in shells generally separate commands (no need to understand io redirection in any detail here) - I know that URLs tend to follow boring conventions - if it's not domain/alphanum/alphanum?alphanum=etc then it's suspect and needs further attention (URLs can contain many weird chars but normal ones tend not to). The above bullets are pretty basic imo - you don't need to be a bash wizard to grok that much. If you know these, you'd never run the one-liner shown in the OP. Extra: - if it's a one-liner crossing scroll boundaries, that's too long (excepting very long URLs maybe if they're super-simple) As a counter-example, here's the type of stuff most people copypaste into shells all the time: curl http://example.com/simple/path | bash
That's interesting here for two reasons:1. as an inline threat, it's clearly harmless - the URL has no unusual special chars or $ and the command is very short - it can be read & grokked at a glance. 2. as a general threat, this is very dangerous because (a) it's unencryped/MITM-able and (b) you may or may not trust the hosted script being downloaded and eval-ed on your machine. My overall point here is: there's plenty of valid & dangerous social engineering threats in your terminal; plainly obvious inline quoting problems ain't it. |