-
-
Notifications
You must be signed in to change notification settings - Fork 619
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Recommended installation method is vulnerable to man in the middle attack #2237
Comments
I was inspired to write up something about how curl isn't automatically safe. It's too endemic to fix, but users can take a few steps to help protect themselves from accidentally pasting a bad command into their terminal. |
It's cool that we can search github to find all those instances. I wonder how hard it would be to write a bot that submits prs fixing for those vulnerable parts. |
That's just the results which don't specify any scheme. I tried to do a separate search for http:https:// and found another 5k results, but that's more noisy (many results might have good reasons for their choice). I didn't search for wget, but I noticed wget uses HSTS by default so I guess that's a better starting point, and it'd only be worth searching with a filter to exclude preloaded sites. I guess the thing to do, and I don't really know how, would be to filter out all the URLs and see how many of them do respond with the proper redirect and the same data on https. If they don't behave the same then the PR would just break stuff. I think I would want to check in with GitHub staff before trying to create 16000 pull requests. |
see zellij-org/zellij-org.github.io#182
The text was updated successfully, but these errors were encountered: