dgl.cx

dgl.cx Blogging about security, strange things to do with Internet protocols and other such fun. https://dgl.cx/feed 2025-10-07T03:05:12Z Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984)

A look at how a newline character in SSH usernames could confuse ProxyCommand in OpenSSH, leading to command injection and potential RCE.

https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984 2025-10-07T03:05:12Z 2025-10-07T03:05:12Z Switchable dark mode with 5 lines of JavaScript

Progress on progressive enhancement with new CSS features.

https://dgl.cx/2025/09/dark-mode-with-5-lines-of-javascript 2025-09-28T03:29:18Z 2025-09-28T03:29:18Z Images over DNS

Answering the question of how big a TXT record can be.

https://dgl.cx/2025/09/images-over-dns 2025-09-20T11:26:30Z 2025-09-20T11:26:30Z CVE-2025-48384: Breaking git with a carriage return and cloning RCE

tl;dr: On Unix-like platforms, if you use git clone --recursive on an untrusted repo, it could achieve remote code execution. Update to a fixed version of git and other software that embeds Git (including GitHub Desktop).

https://dgl.cx/2025/07/git-clone-submodule-cve-2025-48384 2025-07-09T17:30:00Z 2025-07-09T17:30:00Z Can your terminal do emojis? How big?

Ancient history meets modern terminals... Looking at varying support for DECDHL in terminals.

https://dgl.cx/2025/06/can-your-terminal-do-emojis 2025-06-24T01:58:23Z 2025-06-24T01:58:23Z Blink and you'll miss it — a URL handler surprise

Blink, the mobile shell for iOS had a URL handler that handled more than expected.

https://dgl.cx/2025/06/blink-at-a-url-handler 2025-06-17T22:51:00Z 2025-06-17T22:51:00Z Using HAProxy to protect me from scrapers

A simple anti-scraper solution for haproxy. The goal is to be as simple as possible, so this can be implemented alongside other haproxy rules to control traffic.

https://dgl.cx/2025/04/using-haproxy-to-stop-scrapers 2025-04-28T06:16:31Z 2025-04-28T06:16:31Z Déjà vu: Ghostly CVEs in my terminal title

Exploring a security bug in Ghostty that is eerily familiar.

https://dgl.cx/2024/12/ghostty-terminal-title 2024-12-31T22:11:37Z 2024-12-31T22:11:37Z Restrict sftp with Linux user namespaces

A script to restrict SFTP to some directories, without needing chroot or other privileged configuration.

https://dgl.cx/2024/10/restricted-sftp-with-userns 2024-10-26T05:28:05Z 2024-10-26T05:28:05Z "[31m"?! ANSI Terminal security in 2023 and finding 10 CVEs

A paper detailing how unescaped output to a terminal could result in unexpected code execution, on many terminal emulators. This research found around 10 CVEs in terminal emulators across common client platforms.

https://dgl.cx/2023/09/ansi-terminal-security 2023-10-05T08:37:38Z 2023-10-16T04:29:20Z NAT-Again: IRC NAT helper flaws

A Linux kernel bug allows unencrypted NAT'd IRC sessions to be abused to access resources behind NAT, or drop connections. Switch to TLS right now. Or read on.

https://dgl.cx/2022/08/nat-again-irc-cve-2022-2663 2022-09-01T10:42:51Z 2022-09-28T06:49:20Z ip.wtf and showing you your actual HTTP request

Using haproxy in strange ways

https://dgl.cx/2022/04/showing-you-your-actual-http-request 2022-04-29T12:12:01Z 2022-04-29T12:12:01Z