Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Recommended installation method is vulnerable to man in the middle attack #2237

Open
bddap opened this issue Mar 7, 2023 · 3 comments
Open

Comments

@bddap
Copy link

bddap commented Mar 7, 2023

see zellij-org/zellij-org.github.io#182

@sh1boot
Copy link

sh1boot commented Feb 29, 2024

I was inspired to write up something about how curl isn't automatically safe.

It's too endemic to fix, but users can take a few steps to help protect themselves from accidentally pasting a bad command into their terminal.

@bddap
Copy link
Author

bddap commented Mar 4, 2024

It's cool that we can search github to find all those instances. I wonder how hard it would be to write a bot that submits prs fixing for those vulnerable parts.

@sh1boot
Copy link

sh1boot commented Mar 5, 2024

That's just the results which don't specify any scheme. I tried to do a separate search for http:// and found another 5k results, but that's more noisy (many results might have good reasons for their choice).

I didn't search for wget, but I noticed wget uses HSTS by default so I guess that's a better starting point, and it'd only be worth searching with a filter to exclude preloaded sites.

I guess the thing to do, and I don't really know how, would be to filter out all the URLs and see how many of them do respond with the proper redirect and the same data on https. If they don't behave the same then the PR would just break stuff.

I think I would want to check in with GitHub staff before trying to create 16000 pull requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants