It'll get you the same script, it just may not execute the same, right? curl is the thing being redirected, and the http server doesn't know about curl's redirections.
No, the point of the findings in that blog post is that a malicious HTTP server could infer that you're piping curl to bash, and serve you a _different_ script. Hence why it's safer to curl the script to a file, inspect the file, then execute locally.
Read the article. It's based on timing; if you send a "sleep 10" command and then a bunch of data, the client will either display the "sleep 10" and go on consuming the data, or, if it's being executed, will actually sleep for 10 seconds and the data will pile up until its OS stops accepting new data, so you as the server will see that the client has suspended the download and can deduce that it's being executed live on the target machine. You can then choose how to end the script; with harmless looking code or the actual payload you want to run on their system.
