Compile and execute scripts in doPrivileged block.
Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo Commit: http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/c5d17183 Tree: http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/c5d17183 Diff: http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/c5d17183 Branch: refs/heads/LOG4J-1181 Commit: c5d171831a2f56aa683e3191798bbec671667d33 Parents: 75a51f7 Author: Ralph Goers <[email protected]> Authored: Sat Nov 28 13:12:55 2015 -0700 Committer: Ralph Goers <[email protected]> Committed: Sat Nov 28 13:12:55 2015 -0700 ---------------------------------------------------------------------- .../log4j/core/script/ScriptManager.java | 47 ++++++++++++++++---- 1 file changed, 39 insertions(+), 8 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/c5d17183/log4j-core/src/main/java/org/apache/logging/log4j/core/script/ScriptManager.java ---------------------------------------------------------------------- diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/script/ScriptManager.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/script/ScriptManager.java index 9a0e998..d05698d 100644 --- a/log4j-core/src/main/java/org/apache/logging/log4j/core/script/ScriptManager.java +++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/script/ScriptManager.java @@ -30,6 +30,8 @@ import javax.script.ScriptEngineManager; import javax.script.ScriptException; import java.io.File; import java.nio.file.Path; +import java.security.AccessController; +import java.security.PrivilegedAction; import java.util.List; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ConcurrentMap; @@ -46,6 +48,7 @@ public class ScriptManager implements FileWatcher { private final ConcurrentMap<String, ScriptRunner> scripts = new ConcurrentHashMap<>(); private final String languages; private final WatchManager watchManager; + private static final SecurityManager SECURITY_MANAGER = System.getSecurityManager(); public ScriptManager(WatchManager watchManager) { this.watchManager = watchManager; @@ -139,7 +142,16 @@ public class ScriptManager implements FileWatcher { logger.warn("No script named {} could be found"); return null; } - return scriptRunner.execute(bindings); + if (SECURITY_MANAGER == null) { + return scriptRunner.execute(bindings); + } else { + return AccessController.doPrivileged(new PrivilegedAction<Object>() { + @Override + public Object run() { + return scriptRunner.execute(bindings); + } + }); + } } private interface ScriptRunner { @@ -163,13 +175,32 @@ public class ScriptManager implements FileWatcher { CompiledScript compiled = null; if (scriptEngine instanceof Compilable) { logger.debug("Script {} is compilable", script.getName()); - try { - compiled = ((Compilable) scriptEngine).compile(script.getScriptText()); - } catch (final Throwable ex) { - /* ScriptException is what really should be caught here. However, beanshell's ScriptEngine - * implements Compilable but then throws Error when the compile method is called! - */ - logger.warn("Error compiling script", ex); + + if (SECURITY_MANAGER == null) { + try { + compiled = ((Compilable) scriptEngine).compile(script.getScriptText()); + } catch (final Throwable ex) { + /* ScriptException is what really should be caught here. However, beanshell's ScriptEngine + * implements Compilable but then throws Error when the compile method is called! + */ + logger.warn("Error compiling script", ex); + } + } else { + compiled = AccessController.doPrivileged(new PrivilegedAction<CompiledScript>() { + @Override + public CompiledScript run() { + try { + return ((Compilable) scriptEngine).compile(script.getScriptText()); + } catch (final Throwable ex) { + /* ScriptException is what really should be caught here. However, beanshell's + * ScriptEngine implements Compilable but then throws Error when the compile method + * is called! + */ + logger.warn("Error compiling script", ex); + return null; + } + } + }); } } compiledScript = compiled;
