Curl, unquoted URLs, and LANGSEC

April 1st, 2017

The other day I had an unpleasant realization about curl, and how I use it. I'm going to guess most programmers have had this experience:

tim@puter:~$ curl -sS
[1] 638
bash: baz: command not found
tim@puter:~$ <!doctype html>
    <title>Example Domain</title>

...and immediately have the reaction "oh dammit I forgot to quote the URL", because that innocuous little ampersand is getting interpreted in bash as "run the preceding as a command in the background".

This has happened to me from time to time for years, but it was only this week that I realized how *dangerous* it is.

Read full entry »