Communities

Writing
Writing
Codidact Meta
Codidact Meta
The Great Outdoors
The Great Outdoors
Photography & Video
Photography & Video
Scientific Speculation
Scientific Speculation
Cooking
Cooking
Electrical Engineering
Electrical Engineering
Judaism
Judaism
Languages & Linguistics
Languages & Linguistics
Software Development
Software Development
Mathematics
Mathematics
Christianity
Christianity
Code Golf
Code Golf
Music
Music
Physics
Physics
Linux Systems
Linux Systems
Power Users
Power Users
Tabletop RPGs
Tabletop RPGs
Community Proposals
Community Proposals
tag:snake search within a tag
answers:0 unanswered questions
user:xxxx search by author id
score:0.5 posts with 0.5+ score
"snake oil" exact phrase
votes:4 posts with 4+ votes
created:<1w created < 1 week ago
post_type:xxxx type of post
Search help
Notifications
Mark all as read See all your notifications »
Users Search
Help Dashboard Sign In Sign Up
Q&A Meta
Q&A
Posts Tags Edits
Ask Question

Post History

71%
+3 −0
Q&A Is it a bad idea to pipe a script from curl to your shell?

I won’t repeat the points mentioned in Ordoviz’s answer, but there’s another important aspect which is often forgotten: when you pipe a script to a shell (or pass it as an argument to -c), whatever...

posted 3mo ago by Stephen Kitt‭  ·  edited 3mo ago by Stephen Kitt‭

Answer
#2: Post edited by user avatar Stephen Kitt‭ · 2024-08-09T15:53:46Z (3 months ago)
  • I won’t repeat the concerns raised in [Ordoviz’s answer](https://linux.codidact.com/posts/292138/292146#answer-292146), but there’s another important aspect which is often forgotten: when you pipe a script to a shell (or pass it as an argument to `-c`), whatever is downloaded will be executed, even if the download is incomplete. This can lead to frustration, hilarity, or disaster (think of an unfortunately truncated `rm`…).
  • Authors of scripts intended for execution in this way can guard against this by making sure that the script only runs if it’s complete. There are a couple of techniques to do this. [Asahi Linux’s bootstrap script](https://github.com/AsahiLinux/asahi-installer/blob/5f0814ba90d2814081c2e9ed516675dd75ab3c6e/scripts/bootstrap.sh#L4) relies on the fact that an `if` block is entirely parsed before being run. Other scripts define their contents as one or more functions first, and have the function call which kicks everything off as the last line of the script. As far as I can tell, [the Homebrew installation script](https://github.com/Homebrew/install/blob/master/install.sh) doesn’t guard against truncation.
  • I won’t repeat the points mentioned in [Ordoviz’s answer](https://linux.codidact.com/posts/292138/292146#answer-292146), but there’s another important aspect which is often forgotten: when you pipe a script to a shell (or pass it as an argument to `-c`), whatever is downloaded will be executed, even if the download is incomplete. This can lead to frustration, hilarity, or disaster (think of an unfortunately truncated `rm`…).
  • Authors of scripts intended for execution in this way can guard against this by making sure that the script only runs if it’s complete. There are a couple of techniques to do this. [Asahi Linux’s bootstrap script](https://github.com/AsahiLinux/asahi-installer/blob/5f0814ba90d2814081c2e9ed516675dd75ab3c6e/scripts/bootstrap.sh#L4) relies on the fact that an `if` block is entirely parsed before being run. Other scripts define their contents as one or more functions first, and have the function call which kicks everything off as the last line of the script. As far as I can tell, [the Homebrew installation script](https://github.com/Homebrew/install/blob/master/install.sh) doesn’t guard against truncation.
#1: Initial revision by user avatar Stephen Kitt‭ · 2024-08-09T15:53:17Z (3 months ago) 
I won’t repeat the concerns raised in [Ordoviz’s answer](https://linux.codidact.com/posts/292138/292146#answer-292146), but there’s another important aspect which is often forgotten: when you pipe a script to a shell (or pass it as an argument to `-c`), whatever is downloaded will be executed, even if the download is incomplete. This can lead to frustration, hilarity, or disaster (think of an unfortunately truncated `rm`…).

Authors of scripts intended for execution in this way can guard against this by making sure that the script only runs if it’s complete. There are a couple of techniques to do this. [Asahi Linux’s bootstrap script](https://github.com/AsahiLinux/asahi-installer/blob/5f0814ba90d2814081c2e9ed516675dd75ab3c6e/scripts/bootstrap.sh#L4) relies on the fact that an `if` block is entirely parsed before being run. Other scripts define their contents as one or more functions first, and have the function call which kicks everything off as the last line of the script. As far as I can tell, [the Homebrew installation script](https://github.com/Homebrew/install/blob/master/install.sh) doesn’t guard against truncation.