http://bugzilla.slf4j.org/show_bug.cgi?id=181
Summary: SLF4JLogFactory#getInstance(String) should not use
"this" lock
Product: SLF4J
Version: 1.5.x
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P1
Component: jcl-over-slf4j
AssignedTo: [email protected]
ReportedBy: [email protected]
org.apache.commons.logging.impl. SLF4JLogFactory
The class is open to a denial-of-service attack:
public Log getInstance(String name) throws LogConfigurationException {
...
synchronized (this) {
...
}
...
}
@@@@
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import org.apache.commons.logging.LogFactory;
public class Test {
public static void main(String[] args) {
ExecutorService pool = Executors.newCachedThreadPool();
pool.execute(new Runnable() {
public void run() {
synchronized (LogFactory.getFactory()) {
while (true);
}
}
});
pool.execute(new Runnable() {
public void run() {
System.out.println("Logged?");
LogFactory.getLog("test").info("logged");
}
});
}
}
@@@@
Use either:
private final Object lock = new Object();
synchronized(lock)
or:
synchronized(loggerMap)
@@
see also:
Bloch, Joshua. Effective Java (Second Edition). Sun Microsystems
Press/Prentice-Hall, 2008. 280.
--
Configure bugmail: http://bugzilla.slf4j.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
_______________________________________________
slf4j-dev mailing list
[email protected]
http://qos.ch/mailman/listinfo/slf4j-dev
