[
https://issues.apache.org/jira/browse/LOG4J2-604?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13982445#comment-13982445
]
Matt Sicker commented on LOG4J2-604:
------------------------------------
This is taken care of for the most part. This might not be enough for OSGi
support, but no API changes will be necessary and can thus be included in any
update. I'm lowing the priority to Critical.
> Audit use of ClassLoader, Class.forName, etc.
> ---------------------------------------------
>
> Key: LOG4J2-604
> URL: https://issues.apache.org/jira/browse/LOG4J2-604
> Project: Log4j 2
> Issue Type: Epic
> Components: API, Core
> Affects Versions: 2.0-rc2
> Reporter: Matt Sicker
> Assignee: Matt Sicker
> Priority: Critical
>
> The idiom {{Class.forName}} is almost always a bad idea if it's called
> without a classloader to go along with it. The only acceptable place to put
> it is in something like Loader.loadClass as a last resort.
> To make sure everything works as expected in non-trivial environments (e.g.,
> multiple LoggerContexts associated to completely different ClassLoaders like
> in webapps or bundles), all usage of dynamic class loading should be audited
> for correctness. The appropriate neighbour class can be used for getting a
> class loader in most cases (i.e., another already loaded class that should be
> from the same JAR).
> I'll try to add some integration tests that create sub-classloaders that
> isolate contexts from one another to ensure correctness.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
