You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@logging.apache.org by GitBox <gi...@apache.org> on 2021/12/13 23:14:35 UTC

[GitHub] [logging-log4j2] sellexx-stephan commented on pull request #608: Restrict LDAP access via JNDI

sellexx-stephan commented on pull request #608:
URL: https://github.com/apache/logging-log4j2/pull/608#issuecomment-992997550


   Thanks @zhangyoufu for your great workaround!
   Thanks @remkop and all others here for caring!
   
   about the hint given by zhangyoufu: "Just zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class to disable ${jndi:...} functionality completely." in https://github.com/apache/logging-log4j2/pull/608#issuecomment-990305306
   
   We are no java guys. So I need some more details about how to apply on MS Windows Servers (for log4j-core-2.8.2.jar -files under openJDK 16). I guess this is the way how to do:
   - search for log4j-core-*.jar -files on your server using explorer.exe
   - for each such file do (using commandline in cmd.exe):
   - - go to the path of the file using cd -command
   - - enter: zip -q -d log4j-core-*.jar org/apache/logging/log4j/core/lookup/JndiLookup.class   , but do not send
   - - replace the * in the filename with the characters necessary to make it the real filename on your system
   - - send it by hitting ENTER
   - - if no reaction comes up, including no error message comes up, it is successful
   - - if sending it a second time, a nothing-to-do message will show up meaning it can't remove a class if it has been already removed
   
   Is this correct?
   Do I have to reboot the server afterwards to make it be effective?
   Or the other way round: does the effect of removing the class only exist until reboot resulting that I would have to run the zip... command every time after reboot?
   (you see: non-java-guy asking questions ;-)
   
   Thank you.
   
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org