Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Show HN: Tap curl in your editor before it gets to sh (github.com/awalgarg)
60 points by awalGarg on Nov 13, 2016 | hide | past | favorite | 12 comments


Why do you create an env variable that contains the whole file in question when the editor returned success? Wouldn't something like:

  cat "$f"; rm "$f"
not involve loading the whole file in memory at once? Note that using this also makes sense with self-extracting archives/shell scripts, because it lets you inspect the shell script at the beginning.


Moreover, dumping the file into a variable doesn't seem to be a good idea if the file were to contain null characters.


fixed in https://github.com/awalGarg/curl-tap-sh/commit/ab4e079468a2b..., thanks


A much better feature is available in zsh, called safe-paste, that does this without the user having to insert "tap" or anything else manually. It relies on something called bracketed paste, where the terminal emulator sends special escape sequences to indicate the beginning and end of a paste. These are intercepted by the zsh plugin, which opens $EDITOR with the pasted content.

https://github.com/robbyrussell/oh-my-zsh/blob/master/plugin...


Bracketed paste mode can still be broken by a malicious web-site: https://thejh.net/misc/website-terminal-copy-paste . Does this solution have the same vulnerability?


Depends on the terminal emulator you're using, I believe. It (and not zsh) needs to filter out escape sequences.


How is it better? Pasting is a totally different use case from `curl | sh`.


Typical use case:

* type "curl <paste>" in zsh, vim opens with "curl <pasted-url>

* inspect URL, if OK in Normal mode do !!zsh<CR> (I assume emacs can also somehow eval current line in shell and replace line with output)

* inspect the code downloaded (still in vim) and then execute it (or save to file then execute).


I don't really see, why I'd install something from some github repository if I can get it from a moreutils package that I like to have installed anyway.


Then don't. `vipe` from `moreutils` is acknowledged in this project's readme.

I don't have `moreutils` installed; it's plausible that someone might want just the single package, in which case `tap` would seems OK as an alternative.


I think you're specifically saying that the "vipe" command does this:

http://manpages.ubuntu.com/manpages/xenial/en/man1/vipe.1.ht...

moreutils is great. Unfortunately, moreutils parallel conflicts with GNU parallel :(


Simple, but nice




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: