Don't copy-paste terminal commands from the web

[Read the post]


As an addendum, never install anything in a command line by piping the results of a curl command directly to the shell. This is disturbingly common. For example the standard Ruby Version Manager suggests you install it like this:

\curl -sSL | bash

Don’t do that, and if anyone asks you to do that, they should feel bad.


ha ha ha ha! Suckers!


I LOLed!

I am a Linux novice, but am aware of the possibility of easily hosing or unsecuring my system.

If I had to copy something off the web, I would paste it into a text buffer instead, to be sure of what it was. Pasted stuff could include even a return/enter character to run it automatically from a terminal.

Better yet, use the “man” command with your binary of choice as an argument, so you can learn what they are, what they do, and what arguments they accept. Then you are in a better position to know a bit about how your system works.


Mark it with your mouse, copy it somehow (e.g. using CTRL+C) and paste it into a terminal. What happens?
[/quote]Since I’m not on a Linux machine, I have no idea. It would be nice if TFA told us what it did without making us actually do it under the specific OS you’re not supposed to do that sort of thing on…


You think the text you’ve copied is:

git clone git://

but what you’ve really copied is:

git clone /dev/null; clear; echo -n “Hello “;whoami|tr -d ‘\n’;echo -e ‘!\nThat was a bad idea. Don’”’”‘t copy code from websites you don’"’"‘t trust!
Here’"’"'s the first line of your /etc/passwd: ';head -n1 /etc/passwd
git clone git://

The code itself is just a simple demonstration that what looks innocuous to you might do something entirely different.


If someone gives you a bad shell command, just do what I do and delete /etc. Works every time.

(In case it’s not obvious: Do NOT delete /etc unless you know what you’re doing and why.)

Also, for that matter, do not pour salt water into your computer or place your laptop in the microwave. Even if someone from technical support tells you to. Perhaps especially if so.


I just gave the links a quick glance, but the main attack vector seems to be text stings with partial obfuscation via CSS display props. (Here’s one source)

Works fine against Windows, too. The linked Reddit thread covers some of that, but it’s a long wearisome thread…

I’m a fan of keeping a 7-bit editor handy to wash copy operations from web pages.


I paste into notepad as a habit cause windows likes to be ‘smart’ on me and do fancy crap I don’t want done with formatting which I never ever want.


buuut laaazyness! Also, if you’re copying code from a site that you’re pretty much running compiled software as root, you’re really only opening yourself up to some nasty XSS, but it is a good reminder to not just trust some stranger’s code. Recalling a script I wrote with a bunch of “rm -rf” commands, you could get some interesting glitches by adding “-exec sed -i “s#/bin#\ /bin#g” {} ;” to an overly inclusive find command.

I think it’s mostly Word. I’ve taken to writing in Notepad++ when I need to make something to paste into a webform.

1 Like

Can we have the old web back?

With just text files, images, and links to other text files and images?

I thought this topic would just be a reminder not to run commands you don’t understand.

But actually the article warns us about something that should not even be possible.


Uh, the tl;dr is wrong; this has nothing to do with JavaScript.


I was thinking of writing an endorsement of an Oh-My-Zsh plugin, safe-paste.

Then I remembered that the way the Oh-My-Zsh people recommend installing Oh-My-Zsh is with wget or curl, piped through sh.

And that’s not much different from how Oh-My-Zsh updates itself.

Suddenly, I don’t feel like Oh-My-Zsh is so clever.


Seconded - the TL;DR should talk about shell commands, not Javascript. This particular exploit doesn’t involve Javascript.

And nothing is being automatically executed here; the end user is explicitly pasting commands into a terminal in this scenario.


This exploit doesn’t work if you aren’t allowing scripts by default. Which I’m not. So, problem solved in 0 easy steps.


There is a similar problem with web links. Some sites will have a link that you think is directly taking you to the target site, but it is actually wrapped in a tracking web site like viglink full of information about who you are and where you came from.

1 Like

As if they could possibly understand! XD


I was suspicious of this too. I wasn’t under the impression that clipboard contents were executed or interpreted.


wait what? this is a joke right?

if serious, on what os? which javascript engine is running it from the clipboard? the linked to clever fellow explanation says no such thing…I program javascript all day and cut and paste javascript like a champ, nothing ever runs. I’ll assume this is just a joke and I’m not getting the humor.

nothing should ever run from the clipboard directly…unless you have the worlds worst clipboard extension installed.