From eb3369d296efb2be87e8d1cf120e58b3de571e96 Mon Sep 17 00:00:00 2001 From: jbranchaud Date: Mon, 10 Feb 2025 17:10:15 -0600 Subject: [PATCH] Add Limit Protocols Used In A cURL Command as a Unix TIL --- README.md | 3 ++- .../limit-protocols-used-in-a-curl-command.md | 27 +++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) create mode 100644 unix/limit-protocols-used-in-a-curl-command.md diff --git a/README.md b/README.md index 3886172..bd5f15a 100644 --- a/README.md +++ b/README.md @@ -10,7 +10,7 @@ pairing with smart people at Hashrocket. For a steady stream of TILs, [sign up for my newsletter](https://crafty-builder-6996.ck.page/e169c61186). -_1588 TILs and counting..._ +_1589 TILs and counting..._ See some of the other learning resources I work on: - [Ruby Operator Lookup](https://www.visualmode.dev/ruby-operators) @@ -1556,6 +1556,7 @@ See some of the other learning resources I work on: - [Killing A Frozen SSH Session](unix/killing-a-frozen-ssh-session.md) - [Last Argument Of The Last Command](unix/last-argument-of-the-last-command.md) - [Less With Style](unix/less-with-style.md) +- [Limit Protocols Used In A cURL Command](unix/limit-protocols-used-in-a-curl-command.md) - [List All Fonts On Your Machine](unix/list-all-fonts-on-your-machine.md) - [List All The Enabled ZSH Options](unix/list-all-the-enabled-zsh-options.md) - [List All Users](unix/list-all-users.md) diff --git a/unix/limit-protocols-used-in-a-curl-command.md b/unix/limit-protocols-used-in-a-curl-command.md new file mode 100644 index 0000000..cfc5eab --- /dev/null +++ b/unix/limit-protocols-used-in-a-curl-command.md @@ -0,0 +1,27 @@ +# Limit Protocols Used In A cURL Command + +I was about to install [`atuin`](https://github.com/atuinsh/atuin). I went to +their _Quick Start_ section to grab whatever command I would need to install +it. It was a `curl` statement piped to `sh`. The thing that caught my attention +though was I `curl` flag that I didn't recognize — `--proto`. + +> Tells curl to limit what protocols it may use for transfers. + +Using `curl --proto '=https' ...` we can enforce that only an `https` URL can +be used in this command. + +Here is what happens if I try to run the `atuin`-provided `curl` command after +I have downgraded their URL to be `http`: + +```bash +curl --proto '=https' --tlsv1.2 -LsSf http://setup.atuin.sh | sh +curl: (1) Protocol "http" not supported or disabled in libcurl +``` + +It doesn't even attempt the request. The protocol is considered unsupported and +the command immediately fails. + +In addition to only installing software we trust, we should make sure we are +only doing so over a protocol we trust (namely, `https`). + +See `man curl` for more details, including about the modifiers (`=`, `+`, `-`).