this post was submitted on 23 Feb 2026
144 points (98.0% liked)

Selfhosted

56851 readers
760 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
144
A sneaky demonstration of the dangers of curl bash (blog.k3can.us)
submitted 21 hours ago* (last edited 6 hours ago) by K3can@lemmy.radio to c/selfhosted@lemmy.world
69 comments fedilink hide all child comments
 

I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script that appears safe.

It's nothing new or groundbreaking, but I figure it never hurts to have another reminder.

you are viewing a single comment's thread
view the rest of the comments
[–] wildbus8979@sh.itjust.works 28 points 21 hours ago (3 children)

And you better inspect and execute a downloaded copy, because a malicious actor can serve a different file for curl/wget than to your browser

[–] Flipper@feddit.org 17 points 21 hours ago (2 children)

They can even serve a different file for curl vs curl|bash

[–] wildbus8979@sh.itjust.works 8 points 21 hours ago

Yeah that do, I remember that the demo was pretty impressive ten fifteen years ago!

[–] deadbeef79000@lemmy.nz 5 points 19 hours ago (2 children)

Does curl send a different useragent when it's piped?

Searching for those words just vomits 'hOW to SeT cUrL's UseRaGenT' blog spam.

[–] Flipper@feddit.org 13 points 17 hours ago* (last edited 5 hours ago) (1 children)

Its timing based. When piped a script, bash executes each line completly before taking the next line from the input. Curl has a limited output buffer.

  1. Operation that takes a long time. Like a sleep, or if you want it less obvious. A download, an unzip operation, apt update, etc.
  2. Fill the buffer with more bash commands.
  3. Measure on the server if at some point curl stops downloading the script.
  4. Serve a malicious payload.
[–] deadbeef79000@lemmy.nz 1 points 5 hours ago

Oh that is clever.

[–] qupada@fedia.io 4 points 18 hours ago

Not that I know of, which means I can only assume it'll be a timing-based attack.

With strategic use of sleep statements in the script you should stand a pretty good chance of detecting the HTTP download blocking while the script execution is paused.

If you were already shipping the kind of script that unpacks a binary payload from the tail end of the file and executes it, it's well within the realm of possibility to swap it for a different one.

[–] K3can@lemmy.radio 10 points 21 hours ago* (last edited 21 hours ago)

Yep! That's what the post shows.

I created a live demo file, too, so that you can actually see the difference based on how you request the file.

[–] csm10495@sh.itjust.works 2 points 16 hours ago

Hit the nail on the head. Download the file, inspect, then run that local copy.