[jira] [Commented] (LOG4J2-2902) LoaderUtil#getClassLoaders throws a SecurityException trying to access system class loader

Wed, 29 Jul 2020 11:06:29 -0700 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-2902?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17167412#comment-17167412
 ] 

Ryan Schmitt commented on LOG4J2-2902:
--------------------------------------

https://github.com/apache/logging-log4j2/pull/392

> LoaderUtil#getClassLoaders throws a SecurityException trying to access system 
> class loader
> ------------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-2902
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-2902
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: API
>    Affects Versions: 2.13.1
>            Reporter: Ryan Schmitt
>            Priority: Major
>
> Due to a missing access check, {{LoaderUtil#getClassLoaders}} throws an 
> exception when {{getClassLoader}} permissions are unavailable; this in turn 
> leads to a failure to initialize the {{PropertiesUtil}} class.
> {noformat}     [exec] access: access denied ("java.lang.RuntimePermission" 
> "getClassLoader")
>      [exec] java.lang.Exception: Stack trace
>      [exec]     at java.lang.Thread.dumpStack(Thread.java:1340)
>      [exec]     at 
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
>      [exec]     at 
> java.security.AccessController.checkPermission(AccessController.java:886)
>      [exec]     at 
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
>      [exec]     at 
> java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1521)
>      [exec]     at 
> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1435)
>      [exec]     at 
> org.apache.logging.log4j.util.LoaderUtil.getClassLoaders(LoaderUtil.java:114)
>      [exec]     at 
> org.apache.logging.log4j.util.PropertiesUtil$Environment.<init>(PropertiesUtil.java:444)
>      [exec]     at 
> org.apache.logging.log4j.util.PropertiesUtil$Environment.<init>(PropertiesUtil.java:422)
>      [exec]     at 
> org.apache.logging.log4j.util.PropertiesUtil.<init>(PropertiesUtil.java:74)
>      [exec]     at 
> org.apache.logging.log4j.util.PropertiesUtil.<clinit>(PropertiesUtil.java:54)
>      [exec]     at 
> org.apache.logging.log4j.util.Constants.<clinit>(Constants.java:30)
>      [exec]     at 
> org.apache.logging.log4j.spi.AbstractLogger.createClassForProperty(AbstractLogger.java:207)
>      [exec]     at 
> org.apache.logging.log4j.spi.AbstractLogger.<clinit>(AbstractLogger.java:95)
>      [exec]     at 
> org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:60)
>      [exec]     at org.apache.log4j.Logger.getLogger(Logger.java:41)
> Could not initialize class org.apache.logging.log4j.util.PropertiesUtil
> {noformat}
> It looks like all we need to do is check the {{GET_CLASS_LOADER_DISABLED}} 
> field first.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to