[ https://issues.apache.org/jira/browse/LOG4J2-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17067220#comment-17067220 ]
Uwe Schindler edited comment on LOG4J2-2761 at 3/25/20, 11:31 PM: ------------------------------------------------------------------ I opened PR @ https://github.com/apache/logging-log4j2/pull/355 It fixes the following things in {{FileUtils.fileFromUri}}: Rewrite logic to handle 2 cases: - Absolute URI: if it has scheme "vfsfile" patch it to be "file" (this goes back to very long time ago when jboss URIs are supported to track file changes) - Absolute URI: if it has scheme "file", just convert it to a File with {{new File(uri)}}. No further parsing, This is fully standards compliant with escapes - Relative URI: Do the same like in old code, but wrap everything in the try/catch. This ensures that if a SecurityException happens on File.exist() it is not breaking. Previously not all parts were shielded by try/catch. Tests for log4j-core pass for me on windows (with whitespace), I only have an unrelated test failure (possibly windows-caused). I can't run all tests as somehow it complains about not able to compile the module descriptor, although my setup looks correct. I also added new tests and removed the broken test with the existing/non-existing "+". This was just plain wrong (and it failed on Jenkins from time to time, because it was incorrect). was (Author: thetaphi): I opened PR @ https://github.com/apache/logging-log4j2/pull/355 It fixes the following things in {{FileUtils.fileFromUri}}: Rewrite logic to handle 2 cases: - Absolute URI: if it has scheme "vfsfile" patch it to be "file" (this goes back to very long time ago when jboss URIs are supported to track file changes) - Absolute URI: if it has scheme "file", just convert it to a File with {{new File(uri)}}. No further parsing, This is fully standards compliant with escapes - Relative URI: Do the same like in old code, but wrap everything in the try/catch. This ensures that if a SecurityException happens on File.exist() it is not breaking. Previously not all parts were shielded by try/catch. Tests for log4j-core pass for me on windows (with whitespace), I only have an unrelated test failure (possibly windows-caused). I can't run all tests as somehow it complains about not able to compile the module descriptor, although my setup looks correct. > log4j2 fails when a whitespace is in the file path and Java security manager > is used > ------------------------------------------------------------------------------------ > > Key: LOG4J2-2761 > URL: https://issues.apache.org/jira/browse/LOG4J2-2761 > Project: Log4j 2 > Issue Type: Bug > Affects Versions: 2.13.0 > Environment: Windows 7/10, Java 8/11/13 with configured Java Security > Manager > Reporter: Yury Molchan > Assignee: Ralph Goers > Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > {code} > SEVERE: Error configuring application listener of class > [org.yurkom.navigator.web.servlet.StartupListener] > java.security.AccessControlException: access denied ("java.io.FilePermission" > "C:\My%20Space\apache-tomcat-9.0.30\webapps\navigator\WEB-INF\classes\log4j2.properties" > "read") > at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:472) > at > java.security.AccessController.checkPermission(AccessController.java:884) > at java.lang.SecurityManager.checkPermission(SecurityManager.java:549) > at java.lang.SecurityManager.checkRead(SecurityManager.java:888) > at java.io.File.exists(File.java:814) > at > org.apache.logging.log4j.core.util.FileUtils.fileFromUri(FileUtils.java:88) > at > org.apache.logging.log4j.core.config.ConfigurationSource.fromResource(ConfigurationSource.java:360) > at > org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:527) > at > org.apache.logging.log4j.core.config.ConfigurationFactory$Factory.getConfiguration(ConfigurationFactory.java:456) > at > org.apache.logging.log4j.core.config.ConfigurationFactory.getConfiguration(ConfigurationFactory.java:318) > at > org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:687) > at > org.apache.logging.log4j.core.LoggerContext.reconfigure(LoggerContext.java:708) > at > org.apache.logging.log4j.core.LoggerContext.start(LoggerContext.java:263) > at > org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:153) > at > org.apache.logging.log4j.core.impl.Log4jContextFactory.getContext(Log4jContextFactory.java:45) > at org.apache.logging.log4j.LogManager.getContext(LogManager.java:194) > at > org.apache.logging.log4j.spi.AbstractLoggerAdapter.getContext(AbstractLoggerAdapter.java:138) > {code} > policy file contains the following permissions: > {code} > grant codeBase "file:${catalina.home}/webapps/navigator/-" { > permission java.io.FilePermission "${catalina.home}/-", "read"; > permission java.io.FilePermission "${catalina.home}/", "read"; > }; > {code} > where catalina.home is "C:\My Space\apache-tomcat-9.0.30" > It is related to LOG4J2-466 -- This message was sent by Atlassian Jira (v8.3.4#803005)