Critical issue on Windows
KrisJanssen opened this issue · 3 comments
@yunzheng : you use standard path libraries for the lookups of files in zip files: this approach is incorrect.
On windows the Exception will always be hit becasue the path for lookup of the class gets passed in the wrong format:
'org\\apache\\logging\\log4j\\core\\lookup\\JndiLookup.class'
rather than
'org/apache/logging/log4j/core/lookup/JndiLookup.class'
And since you have defaulted to setting has_lookup = False, VULNERABLE jars are being labeled PATCHED.
This is very bad if people using windows are to rely on your tool...
The behavior is inconsistent across your codebase... this is OK:
Furtheron it is not OK:
Hi, thanks for reporting the issue!
I will look into the path joining inconsistencies in Zip files on windows later, for now I merged a patch that fixes the correct intended behavious (has_lookup=True). So it should not show up as PATCHED by default now.
I have a fix... will send pull request
Issue should be fixed now