Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
You cannot cURL under pressure (benjojo.co.uk)
38 points by benjojo12 on Oct 12, 2019 | hide | past | favorite | 13 comments


I do find myself using wget to download things because I don't have to remember the curl option to follow redirects, and wget saves the file using the same name as the last bit of the uri.


Which makes sense. cURL is a relatively “dumb” request tool.

Same goes for youtube-dl versus wget. The latter is a relatively “dumb” download tool.


curl follows redirects, `curl -O` is functionally identical to wget.

Unless I'm missing something in your statement.


> curl follows redirects, `curl -O` is functionally identical to wget.

No it's not :)

You need to `curl -LO`. See for example github releases:

  curl -LO https://github.com/S2-/gitlit/releases/download/v1.4.1/gitlit-1.4.1.tar.gz
downloads the tar.gz, while

  curl -O https://github.com/S2-/gitlit/releases/download/v1.4.1/gitlit-1.4.1.tar.gz
will download an html file.

Even better would be to use `curl -LOJ`, so if the filename is not in the url, but in the `Content-Disposition filename` http response header, curl would get the filename from there.


Pretty good overview of why I just use wget for such things.


"because I don't have to remember the curl option to follow redirects"


curl follows standard redirects but there are a couple of fairly common redirects that it doesn't.

--Someone who built a browser on libcurl


Just FYI, there's a way to get to the QEMU console with a certain keyboard shortcut. There could be potential for mischief (if you are logging the sessions look at the one that ended just now with "too much data written to the terminal", that was me trying to attach the host's /etc/passwd as a raw disk image to the VM).


Heh, I was just trying to do the same:

https://sr.ht/O2oy.png

Ben: you can fix this by adding -monitor none to your qemu command line.


Even with that disabled I still wouldn't trust it (QEMU devs didn't originally plan for its stdin to be attacker-controlled, so there could be subtle bugs even with monitor disabled - remember the GRUB bug where you could bypass the password with specific keystrokes). I would've personally made it to simulate a serial port to the guest and the browser-based console being connected to that.


Yeah, that would be wise.


Cool, but I think spawning VMs on server is overkill for that. It should be possible to build cURL with Emscripten with fake socket interface to verify requests.


Why boot many VM instead of saving the state and restoring from there?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: