[jira] [Created] (LOG4J2-2902) LoaderUtil#getClassLoaders throws a SecurityException trying to access system class loader

Wed, 29 Jul 2020 10:53:33 -0700 

Ryan Schmitt created LOG4J2-2902:
------------------------------------

             Summary: LoaderUtil#getClassLoaders throws a SecurityException 
trying to access system class loader
                 Key: LOG4J2-2902
                 URL: https://issues.apache.org/jira/browse/LOG4J2-2902
             Project: Log4j 2
          Issue Type: Bug
          Components: API
    Affects Versions: 2.13.1
            Reporter: Ryan Schmitt


Due to a missing access check, {{LoaderUtil#getClassLoaders}} throws an 
exception when {{getClassLoader}} permissions are unavailable; this in turn 
leads to a failure to initialize the {{PropertiesUtil}} class.

{noformat}     [exec] access: access denied ("java.lang.RuntimePermission" 
"getClassLoader")
     [exec] java.lang.Exception: Stack trace
     [exec]     at java.lang.Thread.dumpStack(Thread.java:1340)
     [exec]     at 
java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
     [exec]     at 
java.security.AccessController.checkPermission(AccessController.java:886)
     [exec]     at 
java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
     [exec]     at 
java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1521)
     [exec]     at 
java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1435)
     [exec]     at 
org.apache.logging.log4j.util.LoaderUtil.getClassLoaders(LoaderUtil.java:114)
     [exec]     at 
org.apache.logging.log4j.util.PropertiesUtil$Environment.<init>(PropertiesUtil.java:444)
     [exec]     at 
org.apache.logging.log4j.util.PropertiesUtil$Environment.<init>(PropertiesUtil.java:422)
     [exec]     at 
org.apache.logging.log4j.util.PropertiesUtil.<init>(PropertiesUtil.java:74)
     [exec]     at 
org.apache.logging.log4j.util.PropertiesUtil.<clinit>(PropertiesUtil.java:54)
     [exec]     at 
org.apache.logging.log4j.util.Constants.<clinit>(Constants.java:30)
     [exec]     at 
org.apache.logging.log4j.spi.AbstractLogger.createClassForProperty(AbstractLogger.java:207)
     [exec]     at 
org.apache.logging.log4j.spi.AbstractLogger.<clinit>(AbstractLogger.java:95)
     [exec]     at 
org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:60)
     [exec]     at org.apache.log4j.Logger.getLogger(Logger.java:41)

Could not initialize class org.apache.logging.log4j.util.PropertiesUtil
{noformat}

It looks like all we need to do is check the {{GET_CLASS_LOADER_DISABLED}} 
field first.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to