Workaround for log4j security exploits
This commit is contained in:
parent
acd0971b63
commit
1266a3af6d
|
@ -10,6 +10,8 @@ import org.objectweb.asm.ClassVisitor;
|
||||||
import org.objectweb.asm.ClassWriter;
|
import org.objectweb.asm.ClassWriter;
|
||||||
import org.objectweb.asm.MethodVisitor;
|
import org.objectweb.asm.MethodVisitor;
|
||||||
import org.objectweb.asm.Opcodes;
|
import org.objectweb.asm.Opcodes;
|
||||||
|
import org.objectweb.asm.tree.ClassNode;
|
||||||
|
import org.objectweb.asm.tree.InsnNode;
|
||||||
|
|
||||||
import java.util.ServiceLoader;
|
import java.util.ServiceLoader;
|
||||||
import java.util.function.Consumer;
|
import java.util.function.Consumer;
|
||||||
|
@ -25,6 +27,7 @@ public class ApplicationBootstrap extends AbstractBootstrap implements Consumer<
|
||||||
System.setProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager");
|
System.setProperty("java.util.logging.manager", "org.apache.logging.log4j.jul.LogManager");
|
||||||
System.setProperty("log4j.jul.LoggerAdapter", "io.izzel.arclight.boot.log.ArclightLoggerAdapter");
|
System.setProperty("log4j.jul.LoggerAdapter", "io.izzel.arclight.boot.log.ArclightLoggerAdapter");
|
||||||
System.setProperty("log4j.configurationFile", "arclight-log4j2.xml");
|
System.setProperty("log4j.configurationFile", "arclight-log4j2.xml");
|
||||||
|
this.hackLog4j();
|
||||||
ArclightLocale.info("i18n.using-language", ArclightConfig.spec().getLocale().getCurrent(), ArclightConfig.spec().getLocale().getFallback());
|
ArclightLocale.info("i18n.using-language", ArclightConfig.spec().getLocale().getCurrent(), ArclightConfig.spec().getLocale().getFallback());
|
||||||
try {
|
try {
|
||||||
int javaVersion = (int) Float.parseFloat(System.getProperty("java.class.version"));
|
int javaVersion = (int) Float.parseFloat(System.getProperty("java.class.version"));
|
||||||
|
@ -51,6 +54,29 @@ public class ApplicationBootstrap extends AbstractBootstrap implements Consumer<
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void hackLog4j() {
|
||||||
|
try (var in = getClass().getClassLoader().getResourceAsStream("org/apache/logging/log4j/core/lookup/JndiLookup.class")) {
|
||||||
|
var cw = new ClassWriter(ClassWriter.COMPUTE_MAXS);
|
||||||
|
var cr = new ClassReader(in);
|
||||||
|
var node = new ClassNode();
|
||||||
|
cr.accept(node, 0);
|
||||||
|
for (var method : node.methods) {
|
||||||
|
if (method.name.equals("lookup")) {
|
||||||
|
method.instructions.clear();
|
||||||
|
method.instructions.add(new InsnNode(Opcodes.ACONST_NULL));
|
||||||
|
method.instructions.add(new InsnNode(Opcodes.ARETURN));
|
||||||
|
method.tryCatchBlocks.clear();
|
||||||
|
method.localVariables.clear();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
node.accept(cw);
|
||||||
|
var bytes = cw.toByteArray();
|
||||||
|
Unsafe.defineClass(cr.getClassName(), bytes, 0, bytes.length, getClass().getClassLoader(), getClass().getProtectionDomain());
|
||||||
|
} catch (Exception e) {
|
||||||
|
throw new RuntimeException(e);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
private void hackModlauncher() throws Exception {
|
private void hackModlauncher() throws Exception {
|
||||||
try (var in = getClass().getClassLoader().getResourceAsStream("cpw/mods/modlauncher/TransformerClassWriter$SuperCollectingVisitor.class")) {
|
try (var in = getClass().getClassLoader().getResourceAsStream("cpw/mods/modlauncher/TransformerClassWriter$SuperCollectingVisitor.class")) {
|
||||||
var cw = new ClassWriter(0);
|
var cw = new ClassWriter(0);
|
||||||
|
|
Loading…
Reference in New Issue
Block a user