目录
■Eclipse中设定方法
■效果
■扩展
●2.14.1 存在漏洞
JndiLookup.java
AbstractLookup.java
Maven
Download Artifact Sources
---
可以查看查看Log4j2的漏洞,JNDI注入 相关的 源码了。
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache license, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the license for the specific language governing permissions and * limitations under the license. */ package org.apache.logging.log4j.core.lookup; import java.util.Objects; import javax.naming.NamingException; import org.apache.logging.log4j.Logger; import org.apache.logging.log4j.Marker; import org.apache.logging.log4j.MarkerManager; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.config.plugins.Plugin; import org.apache.logging.log4j.core.net.JndiManager; import org.apache.logging.log4j.status.StatusLogger; /** * Looks up keys from JNDI resources. */ @Plugin(name = "jndi", category = StrLookup.CATEGORY) public class JndiLookup extends AbstractLookup { private static final Logger LOGGER = StatusLogger.getLogger(); private static final Marker LOOKUP = MarkerManager.getMarker("LOOKUP"); /** JNDI resource path prefix used in a J2EE container */ static final String CONTAINER_JNDI_RESOURCE_PATH_PREFIX = "java:comp/env/"; /** * Looks up the value of the JNDI resource. * @param event The current LogEvent (is ignored by this StrLookup). * @param key the JNDI resource name to be looked up, may be null * @return The String value of the JNDI resource. */ @Override public String lookup(final LogEvent event, final String key) { if (key == null) { return null; } final String jndiName = convertJndiName(key); try (final JndiManager jndiManager = JndiManager.getDefaultManager()) { return Objects.toString(jndiManager.lookup(jndiName), null); } catch (final NamingException e) { LOGGER.warn(LOOKUP, "Error looking up JNDI resource [{}].", jndiName, e); return null; } } /** * Convert the given JNDI name to the actual JNDI name to use. * Default implementation applies the "java:comp/env/" prefix * unless other scheme like "java:" is given. * @param jndiName The name of the resource. * @return The fully qualified name to look up. */ private String convertJndiName(final String jndiName) { if (!jndiName.startsWith(CONTAINER_JNDI_RESOURCE_PATH_PREFIX) && jndiName.indexOf(':') == -1) { return CONTAINER_JNDI_RESOURCE_PATH_PREFIX + jndiName; } return jndiName; } }
---
/* * Licensed to the Apache Software Foundation (ASF) under one or more * contributor license agreements. See the NOTICE file distributed with * this work for additional information regarding copyright ownership. * The ASF licenses this file to You under the Apache license, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the license for the specific language governing permissions and * limitations under the license. */ package org.apache.logging.log4j.core.lookup; /** * A default lookup for others to extend. * * @since 2.1 */ public abstract class AbstractLookup implements StrLookup { /** * Calls {@code lookup(null, key)} in the super class. * * @see StrLookup#lookup(LogEvent, String) */ @Override public String lookup(final String key) { return lookup(null, key); } }
---
●2.15.0 漏洞修复
---
---