|
|
|
|
|
|
by solatic
807 days ago
|
|
|
> The user wants to read the script before executing it, and their preferred reader (perhaps due to browser extension or something) is a standard browser. I mean, the point of wanting to read the script before executing it is to try and protect yourself from malicious scripts that abuse the curl | sh pattern. So since it would be simple enough for a malicious actor to return something different when the user agent indicates the usage of curl, the only responsible thing to do, anyway, is to use curl to download the script to a file, read the file, then execute the file. > `curl` aliased to `curl-impersonate` So when the user uses a tool to impersonate a browser, they'll see exactly what they'll see in a browser... which are the quick-install instructions anyway, which can include a note about the user agent, if anyone actually hits this in the real world? > wget / lynx / some headless browser Which would provide the quick-install instructions to use curl :) |
|
|