[IMPORTANT] Arbitrary code injection

[qngapparat]

http://pyenv.run/ is not secure.

Doing a curl followed by bash allows attackers observing your network connection to run arbitrary code on your PC.

Either upgrade http://pyenv.run/ to HTTPS or directly curl the GitHub file.

[robnagler]

@qngapparat The instructions in the README.md say to use https to connect to pyenv.run.

[qngapparat]

@robnagler Correct.

However, curl githubusercontent... redirects to HTTPS, whereas curl pyenv.run uses the unsecure connection. In my opinion that's a very unnecessary risk (considering the negligible convenience it brings).

Take into account how many people use this tool, a fraction is bound to just type curl pyenv.run. And it's piped directly into bash (!).

Thanks for the quick reply

[robnagler]

There's no curl githubusercontent in the README nor is curl pyenv.run recommended. If people type that, there's little to be done.

To your specific point about "upgrading" the connection in the case of curl githubusercontent, this no more secure than accessing without the redirect. The initial non-TLS access would be hijacked if there were an attacker-in-the-middle. The "upgrade" would or would not happen. Unlike some browsers, Curl does not automatically try TLS first. It should, perhaps, but that's outside our control.

The way you can test this is to not use -L on curl. You will see that nothing is returned, because the server issues a redirect over a clear text connection. That's when the attacker-in-the-middle would inject the attack, because the initial request from curl happens, again, in clear text, in all cases.

It actually gives a user a false sense of security to redirect to TLS. It is a convenience, of course, which is why most sites do it, but in this case, it's better that it just returns the data without the redirect.

[qngapparat]

Fair enough.