9

Example:

#!/bin/bash
source "$VARIABLE"

Is to retrieve values from a remote location using curl.

http://example.com/file.cnfg
Robin pilot
  • 447
  • 6
  • 15
  • Apparently you are trying to say that `VARIABLE="curl 'http://example.com/file.cnfg'"` and this is what you want to evaluate. As an aside (and as implied in rici's answer) you should not use upper case for your private variables; uppercase is reserved for system variables. – tripleee Apr 05 '19 at 06:32
  • A complete answer here https://unix.stackexchange.com/a/522007/61742 . – Eduardo Lucio Jan 25 '23 at 15:03

2 Answers2

20

You don't need or want a variable. The common way to do this is

curl http://example.com/file.cnfg | sh

If you really genuinely need to execute the code in the current shell,

source <(curl http://example.com/file.cnfg)

does that.

Caveats about security implications cannot be overstated. You need to understand what could go wrong if the server is malicious, hijacked, misconfigured, down, or just in a really grumpy mood.

You should be asking yourself "can I avoid using a variable" (and also, "can I avoid spawning an external process") and if the answer is yes, that's usually what you should do.

Paul Tobias
  • 1,962
  • 18
  • 18
tripleee
  • 175,061
  • 34
  • 275
  • 318
19

Executing downloads blindly is definitely not something you want to do casually.

You can execute the contents of a variable using eval, as in:

eval "$variable"

That's not something you want to do without thinking through the security implications either.

rici
  • 234,347
  • 28
  • 237
  • 341
  • 1
    I am beginner in bash, so I am a bit blindly. But if the request is to my own server, you also need to consider security issues? – Robin pilot Mar 29 '15 at 01:12
  • 1
    @RobinPlotnik: Security is not just about malicious attacks. Suppose your server returns an error instead of the data you expect, and your code executes the error as though it were a shell script. How sure are you that the random content of the error does not contain something which could do damage? HTML contains lots of >, for example. How possible is it that the next word happens to name a file? – rici Mar 29 '15 at 03:05