Hacker News new | ask | show | jobs
by adamckay 1350 days ago
> Ok, if you feel so strongly about it, then before you paste the link into your terminal and hit enter to execute it, how about you uh... open the shell script it will execute in your browser and read the contents of it?

As an FYI - unless the script is on a site like GitHub (which you can assume to be behaving truthfully), it's possible for a server to respond differently according to the user agent, allowing a malicious file to be served if it's downloaded via `curl` or `wget`.

https://www.onsecurity.io/blog/careless-with-curl-dont-be/
1 comments
joshmanders 1350 days ago
As an FYI - The bash script downloads it and then runs bash on the file created on your local system, there's no way to determine if the user is downloading and piping directly into bash or if they're just downloading the file, so change the script before executing from

    wget -q https://get.coollabs.io/coolify/install.sh -O install.sh; sudo bash ./install.sh
to

    wget -q https://get.coollabs.io/coolify/install.sh -O install.sh; cat install.sh
Once the script is locally on your file system there is no way to change the contents.
link
adamckay 1350 days ago
Yep. My response was specific to your comment of reading in browser which is not a guarantee of what's downloaded.
link
joshmanders 1350 days ago
My apologizes, I interpreted it as a "yeah but they can change it so you can't trust it!!!1!" response.
link