[jira] [Closed] (LOG4J2-1110) org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security permission too late

[Gary Gregory (JIRA)]

     [ 
https://issues.apache.org/jira/browse/LOG4J2-1110?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Gary Gregory closed LOG4J2-1110.
--------------------------------
       Resolution: Fixed
    Fix Version/s: 2.4

In Git master.

> org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security 
> permission too late
> ------------------------------------------------------------------------------------------
>
>                 Key: LOG4J2-1110
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1110
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: JUL adapter
>    Affects Versions: 2.3
>            Reporter: Gary Gregory
>             Fix For: 2.4
>
>
> org.apache.logging.log4j.jul.CoreLogger.setLevel() checks for security 
> permission too late.
> The JUL Javadocs 
> https://docs.oracle.com/javase/7/docs/api/java/util/logging/Logger.html#setLevel(java.util.logging.Level)
>  state:
> {quote}
> Throws:
> SecurityException - if a security manager exists and if the caller does not 
> have LoggingPermission("control").
> {quote}
> Our impl {{org.apache.logging.log4j.jul.CoreLogger.setLevel(Level)}}:
> {code:java}
>     @Override
>     public void setLevel(final Level level) throws SecurityException {
>         logger.setLevel(LevelTranslator.toLevel(level));
>         super.doSetLevel(level);
>     }
> {code}
> Checks for perms through {{super.doSetLevel(level)}} which is too late since 
> our logger is already modified.
> The fix is to switch the two calls:
> {code:java}
>     @Override
>     public void setLevel(final Level level) throws SecurityException {
>         super.doSetLevel(level);
>         logger.setLevel(LevelTranslator.toLevel(level));
>     }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-dev-h...@logging.apache.org