Critical issue on Windows

Question

Critical issue on Windows

KrisJanssen opened this issue 3 years ago · 3 comments

KrisJanssen commented 3 years ago

@yunzheng : you use standard path libraries for the lookups of files in zip files: this approach is incorrect.

On windows the Exception will always be hit becasue the path for lookup of the class gets passed in the wrong format:

'org\\apache\\logging\\log4j\\core\\lookup\\JndiLookup.class'

rather than

'org/apache/logging/log4j/core/lookup/JndiLookup.class'

And since you have defaulted to setting has_lookup = False, VULNERABLE jars are being labeled PATCHED.

This is very bad if people using windows are to rely on your tool...

The behavior is inconsistent across your codebase... this is OK:

Furtheron it is not OK:

Answer 1 · 2021-12-17T18:45:54.000Z

Hi, thanks for reporting the issue!

I will look into the path joining inconsistencies in Zip files on windows later, for now I merged a patch that fixes the correct intended behavious (has_lookup=True). So it should not show up as PATCHED by default now.

Answer 2 · 2021-12-17T18:49:02.000Z

I have a fix... will send pull request

Answer 3 · 2021-12-17T21:00:01.000Z

Issue should be fixed now