New favorite tool 😍

  • @[email protected]
    link
    fedilink
    0
    edit-2
    6 months ago

    It is absolutely possible to know as the server serving a bash script if it is being piped into bash or not purely by the timing of the downloaded chunks. A server could halfway through start serving a different file if it detected that it is being run directly. This is not a theoretical situation, by the way, this has been done. At least when downloading the script first you know what you’ll be running. Same for a source tarball. That’s my main gripe with this piping stuff. It assumes you don’t even care about the security.

    • @[email protected]
      link
      fedilink
      0
      edit-2
      6 months ago

      That makes the exploit less detectable sure. Not fundamentally less secure though.

      This is not a theoretical situation, by the way, this has been done

      Link btw? I have not heard of an actual attack using this.