I did this

> echo -e '#!/bin/sh\n\necho "evil!"\nexit 0\n\033[2Aecho "Hello World!"\n' > evil.sh
> curl file:/home/jan_automation/evil.sh
#!/bin/sh

echo "Hello World!"
exit 0

Classical terminal injection (see https://www.infosecmatter.com/terminal-escape-injection/ ). Everyone using a terminal is expected to know not to do this on untrusted or random content. It is very user unfriendly and it is possible to do better.

Even careful humans make mistakes, so this can happen unintentionally.

Quick way to show that this is also the case for headers in case of a curious reader:

> echo -ne "HTTP/1.0 200 OK\r\nEvil: yes\033[2Ano\r\n\r\nEverything is fine.\nHave some tea.\n" | nc -l -p 8080 &
> curl -v localhost:8080

I expected the following

> curl file:/home/jan_automation/evil.sh
#!/bin/sh

echo "evil!"
exit 0
␛[2Aecho "Hello World!"
> curl file:/home/jan_automation/evil.sh | cat
#!/bin/sh

echo "Hello World!"
exit 0
> curl --disable-terminal-filter file:/home/jan_automation/evil.sh
#!/bin/sh

echo "Hello World!"
exit 0
> curl --enable-terminal-filter file:/home/jan_automation/evil.sh
#!/bin/sh

echo "evil!"
exit 0
␛[2Aecho "Hello World!"

There seems to be no way around detecting a terminal and only doing this when output is sent there, so as not to break many scripts using curl that redirect output to a file or pipe. An argument would be needed to disable this always and one to enable it always. There are more places where output will need to be filtered, like response headers when using --verbose.

Would such a fix be acceptable?

curl/libcurl version

all of them

operating system

most of them