Critical issue on Windows #35
Comments
|
Hi, thanks for reporting the issue! I will look into the path joining inconsistencies in Zip files on windows later, for now I merged a patch that fixes the correct intended behavious (has_lookup=True). So it should not show up as PATCHED by default now. |
|
I have a fix... will send pull request |
This was referenced Dec 17, 2021
|
Issue should be fixed now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
@yunzheng : you use standard path libraries for the lookups of files in zip files: this approach is incorrect.
On windows the Exception will always be hit becasue the path for lookup of the class gets passed in the wrong format:
'org\\apache\\logging\\log4j\\core\\lookup\\JndiLookup.class'rather than
'org/apache/logging/log4j/core/lookup/JndiLookup.class'And since you have defaulted to setting has_lookup = False, VULNERABLE jars are being labeled PATCHED.
This is very bad if people using windows are to rely on your tool...
The behavior is inconsistent across your codebase... this is OK:
Furtheron it is not OK:
The text was updated successfully, but these errors were encountered: