Patch CVE-2021-45105 too

acrylic-style · acrylic-style · commit 7881649add31 · 2021-12-21T19:11:32.000+09:00
diff --git a/README.md b/README.md
@@ -17,4 +17,4 @@ This program can be used as wrapper for another jar file:
   - (Cancel malicious `ChatEvent` on BungeeCord)
   - Using [SpigotLog4j2Fix](https://github.com/AzisabaNetwork/SpigotLog4j2Fix) on Spigot/Paper
   - Cancel outbound packet that contains malicious string
-- Or alternatively, you can upgrade log4j2 to `2.15.0`.
+- Or alternatively, you can upgrade log4j2 to `2.17.0`.
diff --git a/pom.xml b/pom.xml
@@ -6,7 +6,7 @@
 
     <groupId>net.azisaba</groupId>
     <artifactId>Log4j2Fix</artifactId>
-    <version>1.0.4</version>
+    <version>1.0.5</version>
 
     <properties>
         <maven.compiler.source>8</maven.compiler.source>
@@ -43,6 +43,7 @@
                         <manifestEntries>
                             <Main-Class>net.azisaba.log4j2Fix.Log4j2Fix</Main-Class>
                             <Premain-Class>net.azisaba.log4j2Fix.Log4j2Fix</Premain-Class>
+                            <Agent-Class>net.azisaba.log4j2Fix.Log4j2Fix</Agent-Class>
                         </manifestEntries>
                     </archive>
                 </configuration>
@@ -61,11 +62,15 @@
             <artifactId>native-util</artifactId>
             <version>1.2.6</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <version>2.17.0</version>
+        </dependency>
         <dependency>
             <groupId>org.apache.logging.log4j</groupId>
             <artifactId>log4j-core</artifactId>
-            <version>2.14.1</version>
-            <scope>provided</scope>
+            <version>2.17.0</version>
         </dependency>
     </dependencies>
 </project>
diff --git a/src/main/java/net/azisaba/log4j2Fix/Log4j2Fix.java b/src/main/java/net/azisaba/log4j2Fix/Log4j2Fix.java
@@ -101,10 +101,30 @@ public static void transformClasses(boolean b) throws IOException {
         registered = true;
         NativeUtil.registerClassLoadHook((classLoader, s, aClass, protectionDomain, bytes) -> {
             if ("org/apache/logging/log4j/core/lookup/JndiLookup".equals(s) || s.startsWith("org/apache/logging/log4j/core/lookup/JndiLookup$")) {
+                System.out.println("Blocked loading class " + s);
                 sneakyThrow(new ClassNotFoundException());
             }
             return null;
         });
+
+        // log4j-api
+        transformClass("org.apache.logging.log4j.spi.AbstractLogger", false);
+
+        // log4j-core
+        transformClass("org.apache.logging.log4j.core.config.Configuration", false);
+        transformClass("org.apache.logging.log4j.core.config.ConfigurationFactory", false);
+        transformClass("org.apache.logging.log4j.core.config.composite.CompositeConfiguration", false);
+        transformClass("org.apache.logging.log4j.core.config.json.JsonConfiguration", false);
+        transformClass("org.apache.logging.log4j.core.config.plugins.util.PluginBuilder", false);
+        transformClass("org.apache.logging.log4j.core.config.xml.XmlConfiguration", false);
+        transformClass("org.apache.logging.log4j.core.lookup.ConfigurationStrSubstitutor", true);
+        transformClass("org.apache.logging.log4j.core.lookup.ContextMapLookup", false);
+        transformClass("org.apache.logging.log4j.core.lookup.DateLookup", false);
+        transformClass("org.apache.logging.log4j.core.lookup.EventLookup", false);
+        transformClass("org.apache.logging.log4j.core.lookup.RuntimeStrSubstitutor", true);
+        transformClass("org.apache.logging.log4j.core.lookup.StrSubstitutor", true);
+
+        // Restores ReflectionUtil
         if (b || Boolean.getBoolean("log4j2Fix.loadReflectionUtil")) {
             transformClass("org.apache.logging.log4j.util.ReflectionUtil", true);
             transformClass("org.apache.logging.log4j.util.ReflectionUtil$PrivateSecurityManager", true);
@@ -116,7 +136,14 @@ public static void transformClass(String className, boolean loadNow) throws IOEx
         if (clazz == null) {
             String path = "/classes/" + className.replace('.', '/') + ".class";
             InputStream in = Log4j2Fix.class.getResourceAsStream(path);
-            if (in == null) throw new RuntimeException("Could not find '" + path + "' in jar file");
+            if (in == null) {
+                path = "/" + className.replace('.', '/') + ".class";
+                in = Log4j2Fix.class.getResourceAsStream(path);
+            }
+            if (in == null) {
+                System.err.println("Could not find '" + path + "' in jar file");
+                return;
+            }
             byte[] newClassBytes = readAllBytes(in);
             if (loadNow) {
                 System.out.println("Loading class " + className + " from " + path);
