[ https://issues.apache.org/jira/browse/LOG4J2-2902?focusedWorklogId=848084&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-848084 ]
ASF GitHub Bot logged work on LOG4J2-2902: ------------------------------------------ Author: ASF GitHub Bot Created on: 28/Feb/23 15:02 Start Date: 28/Feb/23 15:02 Worklog Time Spent: 10m Work Description: vy closed pull request #392: [LOG4J2-2902] Add missing LoaderUtil permissions check URL: https://github.com/apache/logging-log4j2/pull/392 Issue Time Tracking ------------------- Worklog Id: (was: 848084) Remaining Estimate: 0h Time Spent: 10m > LoaderUtil#getClassLoaders throws a SecurityException trying to access system > class loader > ------------------------------------------------------------------------------------------ > > Key: LOG4J2-2902 > URL: https://issues.apache.org/jira/browse/LOG4J2-2902 > Project: Log4j 2 > Issue Type: Bug > Components: API > Affects Versions: 2.13.1 > Reporter: Ryan Schmitt > Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > Due to a missing access check, {{LoaderUtil#getClassLoaders}} throws an > exception when {{getClassLoader}} permissions are unavailable; this in turn > leads to a failure to initialize the {{PropertiesUtil}} class. > {noformat} [exec] access: access denied ("java.lang.RuntimePermission" > "getClassLoader") > [exec] java.lang.Exception: Stack trace > [exec] at java.lang.Thread.dumpStack(Thread.java:1340) > [exec] at > java.security.AccessControlContext.checkPermission(AccessControlContext.java:462) > [exec] at > java.security.AccessController.checkPermission(AccessController.java:886) > [exec] at > java.lang.SecurityManager.checkPermission(SecurityManager.java:549) > [exec] at > java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1521) > [exec] at > java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1435) > [exec] at > org.apache.logging.log4j.util.LoaderUtil.getClassLoaders(LoaderUtil.java:114) > [exec] at > org.apache.logging.log4j.util.PropertiesUtil$Environment.<init>(PropertiesUtil.java:444) > [exec] at > org.apache.logging.log4j.util.PropertiesUtil$Environment.<init>(PropertiesUtil.java:422) > [exec] at > org.apache.logging.log4j.util.PropertiesUtil.<init>(PropertiesUtil.java:74) > [exec] at > org.apache.logging.log4j.util.PropertiesUtil.<clinit>(PropertiesUtil.java:54) > [exec] at > org.apache.logging.log4j.util.Constants.<clinit>(Constants.java:30) > [exec] at > org.apache.logging.log4j.spi.AbstractLogger.createClassForProperty(AbstractLogger.java:207) > [exec] at > org.apache.logging.log4j.spi.AbstractLogger.<clinit>(AbstractLogger.java:95) > [exec] at > org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:60) > [exec] at org.apache.log4j.Logger.getLogger(Logger.java:41) > Could not initialize class org.apache.logging.log4j.util.PropertiesUtil > {noformat} > It looks like all we need to do is check the {{GET_CLASS_LOADER_DISABLED}} > field first. -- This message was sent by Atlassian Jira (v8.20.10#820010)