You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I will look into the path joining inconsistencies in Zip files on windows later, for now I merged a patch that fixes the correct intended behavious (has_lookup=True). So it should not show up as PATCHED by default now.
@yunzheng : you use standard path libraries for the lookups of files in zip files: this approach is incorrect.
On windows the Exception will always be hit becasue the path for lookup of the class gets passed in the wrong format:
'org\\apache\\logging\\log4j\\core\\lookup\\JndiLookup.class'
rather than
'org/apache/logging/log4j/core/lookup/JndiLookup.class'
And since you have defaulted to setting has_lookup = False, VULNERABLE jars are being labeled PATCHED.
This is very bad if people using windows are to rely on your tool...
The behavior is inconsistent across your codebase... this is OK:
Furtheron it is not OK:
The text was updated successfully, but these errors were encountered: