David Leadbeater
@dgl.cx
Monitoring 📊, SRE, Open Source, Security 🔐. Emoji fan 🦸♂️. Just your average cynical Brit 🇬🇧 in 🇦🇺. He/him.
👨💻 → https://dgl.cx
👨💻 → https://dgl.cx
You have a bash command line of "exec program ..." and you control "..." can you make it do something different? What if it is somewhat sanitised for shell metacharacters? If you can inject $[+] it will make bash error on that line and run the next. This is how dgl.cx/2025/10/bash... works.
Bash a newline: Exploiting SSH via ProxyCommand, again (CVE-2025-61984)
dgl.cx
October 7, 2025 at 6:19 AM
You have a bash command line of "exec program ..." and you control "..." can you make it do something different? What if it is somewhat sanitised for shell metacharacters? If you can inject $[+] it will make bash error on that line and run the next. This is how dgl.cx/2025/10/bash... works.
I'll be speaking at BSides Canberra: cfp.bsidescbr.com.au/bsides-canbe... -- this will cover my recent find of an RCE in Git (dgl.cx/2025/07/git-...) and how that and some other vulnerabilities could be used against developers.
Developers, the weakest link in the supply chain? BSides Canberra 2025
Supply chain security is a topic which has been raised in profile in recent years through events such as the xz backdoor. In the open source world trust matters a lot. While trust is mostly gained thr...
cfp.bsidescbr.com.au
July 31, 2025 at 1:02 AM
I'll be speaking at BSides Canberra: cfp.bsidescbr.com.au/bsides-canbe... -- this will cover my recent find of an RCE in Git (dgl.cx/2025/07/git-...) and how that and some other vulnerabilities could be used against developers.
New blog post: Ghostty 1.0.0 terminal security; dgl.cx/2024/12/ghos... (CVE-2024-56803)
Déjà vu: Ghostly CVEs in my terminal title
dgl.cx
December 31, 2024 at 11:35 PM
New blog post: Ghostty 1.0.0 terminal security; dgl.cx/2024/12/ghos... (CVE-2024-56803)