← Back to context

Comment by swiftcoder

8 hours ago

curl is only the sandbox if you don't then do anything with the byte stream.

Pipe it to bash? game over

Pipe it to less/more? Better hope your distro keeps those patched

Open the file in a browser or PDF reader? Hey, look at all this shiny new attack surface!

3 comments

swiftcoder

Reply
inigyou  6 hours ago

Well yeah, that's true for any sandbox. If you pipe stuff outside of the sandbox, outside of any sandbox, and run it there, then you're not running it in a sandbox.

  • swiftcoder  1 hour ago

    Right, but nobody actually uses curl as the end destination, right? You use it to download something so that you can run another tool on it.

    And as such, you need to already be sandboxing the tool (since it processes untrusted data you received over the internet).

layer8  8 hours ago

How do you set up the sandbox without having downloaded anything from the internet? I guess there’s still places where you can buy Linux CDs.