Yeah, but if you pipe the curl output to your shell anyway, this is the same thing.
Unless of course it's some sort of "timing attack" (advance apology to purists if I'm using this term incorrectly) and the server knows you've downloaded this once (with gosh perhaps) and then sends you the malignant stuff the second or subsequent times.
Edit: sorry, the above makes no sense because you will have reviewed it with gosh and probably wouldn't download it again.
There are lots of ways you can get bad data from a given server over curl, even if using HTTPS and the attacker does not have full control over the server:
* Typo in URL and typosquatter sends you whatever commands they want
* XSS in server-side scripts leads to injection of commands via unescaped tags
There may be others I haven't thought of. Perhaps a DNS glue record can be used to inject shell metacharacters where the server has an error handler that reports the client hostname? The fact that any of these are even possible shows how fragile this mechanism is.
Unless of course it's some sort of "timing attack" (advance apology to purists if I'm using this term incorrectly) and the server knows you've downloaded this once (with gosh perhaps) and then sends you the malignant stuff the second or subsequent times.
Edit: sorry, the above makes no sense because you will have reviewed it with gosh and probably wouldn't download it again.