discourage piping the output of curl directly into bash

[petermaloney]

Would you please remove the suggestion to pipe the output of curl directly into bash? This is a very bad security practice. To prove this, please see my example here:

http://www.brockmann-consult.de/peter2/securitylesson/

It uses a simple RewriteCond and RewriteRule to give you a different script depending on your user agent. Even if your provider doesn't give you access to do this, a simple man-in-the-middle attack or someone that runs the provider can accomplish the same thing. And even if somehow your site was magically immune to this, you should not be encouraging anyone to use this method, but instead to be cautious.

Thanks

[C0NPAQ]

I WROTE ONE THAT IS EVEN BETTER

http://master.ms/security-check.php

HAHAHAHAHA :D :D :D

[C0NPAQ]

HAHAHAAHAHAHAHAHAHAHAA

:D :D

[pauldraper]

+1

As much as I would to download some invisible script from shellshocksRus.co, etc., it isn't a good idea.

At worst, it's a hacker trying to ruin my life. At best, it's a very smelly practice by a security website that should know better.

[wreiske]

I understand that it's bad practice, though one liners are becoming the de-facto-standard for installing and running scripts on systems.

See https://www.meteor.com/install for example,

Install the latest official Meteor release from your terminal:

curl https://install.meteor.com/ | sh

People want a fast and effective way to test their system, the one liner helps them do that. I went with the one liner because I wanted something people could copy and paste and be sure they are always getting the latest test for their system. If we have someone download the script first, then execute it, they might go back to the same script (even though it's been updated) and run an outdated test.

The one liner ensures every run is the latest script available to test their systems.