abdullah/til
1
0
Fork 0
mirror of https://github.com/jbranchaud/til synced 2026-01-03 07:08:01 +00:00
Code Issues Projects Releases Wiki Activity

Add Limit Protocols Used In A cURL Command as a Unix TIL

Browse Source
This commit is contained in:
jbranchaud
2025-02-10 17:10:15 -06:00
parent 6f47e2f057
commit eb3369d296
2 changed files with 29 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@@ -10,7 +10,7 @@ pairing with smart people at Hashrocket.
For a steady stream of TILs, [sign up for my newsletter](https://crafty-builder-6996.ck.page/e169c61186).
_1588 TILs and counting..._
_1589 TILs and counting..._
See some of the other learning resources I work on:
- [Ruby Operator Lookup](https://www.visualmode.dev/ruby-operators)
@@ -1556,6 +1556,7 @@ See some of the other learning resources I work on:
- [Killing A Frozen SSH Session](unix/killing-a-frozen-ssh-session.md)
- [Last Argument Of The Last Command](unix/last-argument-of-the-last-command.md)
- [Less With Style](unix/less-with-style.md)
- [Limit Protocols Used In A cURL Command](unix/limit-protocols-used-in-a-curl-command.md)
- [List All Fonts On Your Machine](unix/list-all-fonts-on-your-machine.md)
- [List All The Enabled ZSH Options](unix/list-all-the-enabled-zsh-options.md)
- [List All Users](unix/list-all-users.md)

27
unix/limit-protocols-used-in-a-curl-command.md Normal file
View File

@@ -0,0 +1,27 @@
# Limit Protocols Used In A cURL Command
I was about to install [`atuin`](https://github.com/atuinsh/atuin). I went to
their _Quick Start_ section to grab whatever command I would need to install
it. It was a `curl` statement piped to `sh`. The thing that caught my attention
though was I `curl` flag that I didn't recognize — `--proto`.
> Tells curl to limit what protocols it may use for transfers.
Using `curl --proto '=https' ...` we can enforce that only an `https` URL can
be used in this command.
Here is what happens if I try to run the `atuin`-provided `curl` command after
I have downgraded their URL to be `http`:
```bash
curl --proto '=https' --tlsv1.2 -LsSf http://setup.atuin.sh | sh
curl: (1) Protocol "http" not supported or disabled in libcurl
```
It doesn't even attempt the request. The protocol is considered unsupported and
the command immediately fails.
In addition to only installing software we trust, we should make sure we are
only doing so over a protocol we trust (namely, `https`).
See `man curl` for more details, including about the modifiers (`=`, `+`, `-`).