[
https://issues.apache.org/jira/browse/LOG4J2-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17066792#comment-17066792
]
Uwe Schindler edited comment on LOG4J2-2761 at 3/25/20, 4:11 PM:
-----------------------------------------------------------------
bq. I am not really sure what to do with this issue. Log4j is simply calling
File.exists(). Java itself is calling the security manager. You should be able
to duplicate this against any file running with the same security manager
without Log4j in the picture.
The issue is that File.exists() with a file that have "%20" or similar
encodings in the name catches SecurityManager as this path is simply not
allowed to be accessed (because the path with %20 does not exist and is not
whitelisted). There's no workaround. When security manager is effective you are
not even allowed to check for existence of a file that is outside your sandbox.
Plain easy. Read my comment why its happening previously.
was (Author: thetaphi):
bq. I am not really sure what to do with this issue. Log4j is simply calling
File.exists(). Java itself is calling the security manager. You should be able
to duplicate this against any file running with the same security manager
without Log4j in the picture.
The issue is that File.exists() with a file that have "%20" or similar
encodings in the name catches SecurityManager as this path is simply not
allowed to be accessed. There's no workaround. When security manager is
effective you are not even allowed to check for existence of a file that is
outside your sandbox. Plain easy. Read my comment why its happening previously.
> log4j2 fails when a whitespace is in the file path and Java security manager
> is used
> ------------------------------------------------------------------------------------
>
> Key: LOG4J2-2761
> URL: https://issues.apache.org/jira/browse/LOG4J2-2761
> Project: Log4j 2
> Issue Type: Bug
> Affects Versions: 2.13.0
> Environment: Windows 7/10, Java 8/11/13 with configured Java Security
> Manager
> Reporter: Yury Molchan
> Priority: Major
>
> {code}
> SEVERE: Error configuring application listener of class
> [org.yurkom.navigator.web.servlet.StartupListener]
> java.security.AccessControlException: access denied ("java.io.FilePermission"
> "C:\My%20Space\apache-tomcat-9.0.30\webapps\navigator\WEB-INF\classes\log4j2.properties"
> "read")
> at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)
> at
> java.security.AccessController.checkPermission(AccessController.java:884)
> at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> at java.lang.SecurityManager.checkRead(SecurityManager.java:888)
> at java.io.File.exists(File.java:814)
> at
> org.apache.logging.log4j.core.util.FileUtils.fileFromUri(FileUtils.java:88)
> at
> org.apache.logging.log4j.core.config.ConfigurationSource.fromResource(ConfigurationSource.java:360)
> at
> org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:527)
> at
> org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:456)
> at
> org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:318)
> at
> org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:687)
> at
> org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:708)
> at
> org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:263)
> at
> org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:153)
> at
> org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:45)
> at org.apache.logging.log4j.LogManager.getContext(LogManager.java:194)
> at
> org.apache.logging.log4j.spi.AbstractLoggerAdapter.getContext(AbstractLoggerAdapter.java:138)
> {code}
> policy file contains the following permissions:
> {code}
> grant codeBase "file:${catalina.home}/webapps/navigator/-" {
> permission java.io.FilePermission "${catalina.home}/-", "read";
> permission java.io.FilePermission "${catalina.home}/", "read";
> };
> {code}
> where catalina.home is "C:\My Space\apache-tomcat-9.0.30"
> It is related to LOG4J2-466
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
