[ 
https://issues.apache.org/jira/browse/LOG4J2-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17066792#comment-17066792
 ] 

Uwe Schindler commented on LOG4J2-2761:
---------------------------------------

bq. I am not really sure what to do with this issue. Log4j is simply calling 
File.exists().  Java itself is calling the security manager. You should be able 
to duplicate this against any file running with the same security manager 
without Log4j in the picture.

The issue is that File.exists() with a file that have "%20" or similar 
encodings in the name catches SecurityManager as this path is simply not 
allowed to be accessed. There's no workaround. When security manager is 
effective you are not even allowed to check for existence of a file that is 
outside your sandbox. Plain easy. Read my comment previously.

> log4j2 fails when a whitespace is in the file path and Java security manager 
> is used
> ------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-2761
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2761
>             Project: Log4j 2
>          Issue Type: Bug
>    Affects Versions: 2.13.0
>         Environment: Windows 7/10, Java 8/11/13 with configured Java Security 
> Manager
>            Reporter: Yury Molchan
>            Priority: Major
>
> {code}
> SEVERE: Error configuring application listener of class 
> [org.yurkom.navigator.web.servlet.StartupListener]
> java.security.AccessControlException: access denied ("java.io.FilePermission" 
> "C:\My%20Space\apache-tomcat-9.0.30\webapps\navigator\WEB-INF\classes\log4j2.properties"
>  "read")
>         at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
>         at 
> java.security.AccessController.checkPermission(AccessController.java:884)
>         at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
>         at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
>         at java.io.File.exists(File.java:814)
>         at 
> org.apache.logging.log4j.core.util.FileUtils.fileFromUri(FileUtils.java:88)
>         at 
> org.apache.logging.log4j.core.config.ConfigurationSource.fromResource(ConfigurationSource.java:360)
>         at 
> org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:527)
>         at 
> org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:456)
>         at 
> org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:318)
>         at 
> org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:687)
>         at 
> org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:708)
>         at 
> org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:263)
>         at 
> org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:153)
>         at 
> org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:45)
>         at org.apache.logging.log4j.LogManager.getContext(LogManager.java:194)
>         at 
> org.apache.logging.log4j.spi.AbstractLoggerAdapter.getContext(AbstractLoggerAdapter.java:138)
> {code}
> policy file contains the following permissions:
> {code}
> grant codeBase "file:${catalina.home}/webapps/navigator/-" {
>         permission java.io.FilePermission "${catalina.home}/-", "read";
>         permission java.io.FilePermission "${catalina.home}/", "read";
> };
> {code}
> where catalina.home is "C:\My Space\apache-tomcat-9.0.30"
> It is related to LOG4J2-466



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to