@dgl.cx
Monitoring π, SRE, Open Source, Security π. Emoji fan π¦ΈββοΈ. Just your average cynical Brit π¬π§ in π¦πΊ. He/him. π bridged from β https://infosec.exchange/@dgl, follow @ap.brid.gy to interact
C mistakes among the vulnerabilities in (curl) code
Looking back at all (now) published vulnerabilities in #curl that were present in code from 2020 until now, at no point in those years was the share of "C mistakes" higher than 15% of all vulns.
Through all years, the C mistake share of all vulnerabilities [β¦]
[Original post on mastodon.social]
Interesting talk from 39c3: https://gpg.fail including my favourite classes of issues ANSI escape spoofing and abusing CR. A response from GnuPG is here https://www.gnupg.org/blog/20251226-cleartext-signatures.html β although thereβs some other issues that do seem more fixable. IMO better to use [β¦]
Here's a copy of the filesystem that has been extracted as a .tar file: http://squoze.net/UNIX/v4/
Here's the document release you were waiting for today!
The UNIX V4 tape!
https://archive.org/details/utah_unix_v4_raw
#retrocomputing
@bagder maybe you could offer a fakecurl alternative for other platforms for people who really want it?
Works anywhere with Docker:
$ fakecurl() { docker run mcr.microsoft.com/dotnet/sdk:9.0 pwsh -CommandWithArgs "Invoke-WebRequest $@" }
$ fakecurl invoke-webrequest.haxx.se
StatusCode : 200 [β¦]
A screenshot of a shell (on Mac) executing the program Γh. Due to normalization this gets translated to ssh, and indeed the shell calls the ssh binary.
Unicode normalization.
Can I use has a strange entry for Zstandard on Safari (https://caniuse.com/zstd). I canβt find many references for it but indeed, if you serve Zstd to Safari >= 26 it does work. There doesnβt even seem to be a feature flag to turn on sending it in the Accept-Encoding header.
Iβm experimenting with @bsky.brid.gy so this account is now bridged to Bluesky as @dgl.cx β there was a previous Bluesky account which that replaces (it now shows as βinvalid handleβ) and Bluesky doesnβt have a a Mastodon like way of migrating followers, so you will need to refollow.
@whitequark feels like it needs a "Unwarranted chumminess with compiler." comment like Henry Spencer put in the original regexp code (1986) and which has been carried into various other versions (including perl) sinceβ¦
Gcore.com are an interesting provider. It took two separate support tickets over a month to work out their docs are wrong. If anyone is using them, *some* API endpoints need the authentication token to be in mixed case, for example "Authorization: APIKey ..." which is against what their [β¦]
@webmink the hardest hurdle is that CDNs primary purpose isnβt actually the content part anymore, but pushing DDoS mitigation as close to the edge as possible. That interacts poorly with HTTPS everywhere, as every node ideally needs the certs, meaning there isnβt an easy way to federate trust. I [β¦]
If you have a bash command line of "exec program ..." and you can control the "..." can you make it not run the exec and do something different? The answer is yes. Even if "..." is somewhat sanitised for shell metacharacters. If you can inject $+] it will make bash error on that line and run the [β¦]
For those of you who saw my BSides Canberra talk, here's a vulnerability I couldn't talk about in the talk, yet, but is very much in the spirit of it: https://dgl.cx/2025/10/bash-a-newline-ssh-proxycommand-cve-2025-61984
Did you know Cloudflare documents how to use DNS in Google Sheets? Because if you have a problem, DNS is clearly the answer. https://developers.cloudflare.com/1.1.1.1/additional-options/dns-in-google-sheets/
I probably should have polished my @ComfyConAU talk. Instead I got sidetracked into wondering just how much I could tunnel over DNS: https://dgl.cx/2025/09/images-over-dns
Noticed my SLAAC IPv6 address happens to end in :fade. Fade to black?
I'll be speaking at BSides Canberra: https://cfp.bsidescbr.com.au/bsides-canberra-2025/talk/8TWF8X/ -- this will cover my recent find of an RCE in Git and how that and some other vulnerabilities could be used against developers. #bsides #security