diff --git a/README.md b/README.md
index 5c8af94..17cecd9 100644
--- a/README.md
+++ b/README.md
@@ -3,9 +3,9 @@
log4j2-scan is a single binary command-line tool for CVE-2021-44228 vulnerability scanning and mitigation patch. It also supports nested JAR file scanning and patch.
### Download
-* [log4j2-scan 1.2.4 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.4/logpresso-log4j2-scan-1.2.4-win64.7z)
-* [log4j2-scan 1.2.4 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.4/logpresso-log4j2-scan-1.2.4-linux.tar.gz)
-* [log4j2-scan 1.2.4 (Any OS, 10KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.4/logpresso-log4j2-scan-1.2.4.jar)
+* [log4j2-scan 1.2.5 (Windows x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.5/logpresso-log4j2-scan-1.2.5-win64.7z)
+* [log4j2-scan 1.2.5 (Linux x64)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.5/logpresso-log4j2-scan-1.2.5-linux.tar.gz)
+* [log4j2-scan 1.2.5 (Any OS, 10KB)](https://github.com/logpresso/CVE-2021-44228-Scanner/releases/download/v1.2.5/logpresso-log4j2-scan-1.2.5.jar)
### How to use
Just run log4j2-scan.exe or log4j2-scan with target directory path.
@@ -20,7 +20,7 @@ On Linux
```
On UNIX (AIX, Solaris, and so on)
```
-java -jar logpresso-log4j2-scan-1.2.4.jar [--fix] [--trace] target_path
+java -jar logpresso-log4j2-scan-1.2.5.jar [--fix] [--trace] target_path
```
If you add `--fix` option, this program will copy vulnerable original JAR file to .bak file, and create new JAR file without `org/apache/logging/log4j/core/lookup/JndiLookup.class` entry. In most environments, JNDI lookup feature will not be used. However, you must use this option at your own risk. It is necessary to shutdown any running JVM process before applying patch. Start affected JVM process after fix.
diff --git a/pom.xml b/pom.xml
index 39748bc..39a21f4 100644
--- a/pom.xml
+++ b/pom.xml
@@ -6,7 +6,7 @@
4.0.0
com.logpresso
log4j2-scanner
- 1.2.4
+ 1.2.5
jar
Logpresso Log4j2 Scanner
diff --git a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
index 4162882..980ea12 100644
--- a/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
+++ b/src/main/java/com/logpresso/scanner/Log4j2Scanner.java
@@ -25,6 +25,8 @@ public enum Status {
private static final String JNDI_LOOKUP_CLASS_PATH = "org/apache/logging/log4j/core/lookup/JndiLookup.class";
private static final String LOG4j_CORE_POM_PROPS = "META-INF/maven/org.apache.logging.log4j/log4j-core/pom.properties";
+ private static final boolean isWindows = File.separatorChar == '\\';
+
private long scanDirCount = 0;
private long scanFileCount = 0;
private long vulnerableFileCount = 0;
@@ -34,7 +36,7 @@ public enum Status {
public static void main(String[] args) {
if (args.length < 1) {
- System.out.println("Logpresso CVE-2021-44228 Vulnerability Scanner 1.2.4 (2021-12-14)");
+ System.out.println("Logpresso CVE-2021-44228 Vulnerability Scanner 1.2.5 (2021-12-14)");
System.out.println("Usage: log4j2-scan [--fix] [--force-fix] [--trace] target_path");
System.out.println(" Do not use --force-fix unless you know what you are doing");
return;
@@ -315,7 +317,14 @@ private void traverse(File f, boolean fix, boolean trace) {
private boolean isSymlink(File f) {
try {
String canonicalPath = f.getCanonicalPath();
- return f.isDirectory() && !canonicalPath.contains(f.getAbsolutePath());
+ String absolutePath = f.getAbsolutePath();
+
+ if (isWindows) {
+ canonicalPath = canonicalPath.toUpperCase();
+ absolutePath = absolutePath.toUpperCase();
+ }
+
+ return f.isDirectory() && !canonicalPath.contains(absolutePath);
} catch (IOException e) {
}