mastodon.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
The original server operated by the Mastodon gGmbH non-profit

Administered by:

Server stats:

373K
active users

vorlon

For Ubuntu 24.10, we should patch bash so that when it's given content on stdin, it checks the process tree and if the sending process is curl, launches x-www-browser with a page on basic Internet safety instead of executing the command.

@vorlon curl | /lib64/ld-linux-x86-64.so.2 /dev/stdin

(no it doesn't actually quite work ... sadly?)

@joeyh @vorlon
$ curl -s file:///usr/bin/uname | \ls -Ll /dev/stdin
prw------- 1 haelwenn haelwenn 0 Apr 26 17:40 /dev/stdin
Gah, non-executable.

An option could be added to allow the script to be executed if you provide a SHA384 hash of the contents in the bash arguments. That would address some of the risks, but not all of them.

Of course people will find ways to bypass the protection:

wget -O - example.com | cat | /bin/sh
example.comExample Domain

@vorlon Imagining all the trendy projects this would break

@vorlon @noam I'm having flashbacks to requiring .desktop files be executable...