[
https://issues.apache.org/jira/browse/LOG4J2-2902?focusedWorklogId=848199&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-848199
]
ASF GitHub Bot logged work on LOG4J2-2902:
------------------------------------------
Author: ASF GitHub Bot
Created on: 01/Mar/23 07:12
Start Date: 01/Mar/23 07:12
Worklog Time Spent: 10m
Work Description: ppkarwasz commented on PR #392:
URL: https://github.com/apache/logging-log4j2/pull/392#issuecomment-1449465904
This was closed automatically by Github because we renamed the `release-2.x`
branch to `2.x`. Feel free to resubmit to the `2.x` branch.
Issue Time Tracking
-------------------
Worklog Id: (was: 848199)
Time Spent: 20m (was: 10m)
> LoaderUtil#getClassLoaders throws a SecurityException trying to access system
> class loader
> ------------------------------------------------------------------------------------------
>
> Key: LOG4J2-2902
> URL: https://issues.apache.org/jira/browse/LOG4J2-2902
> Project: Log4j 2
> Issue Type: Bug
> Components: API
> Affects Versions: 2.13.1
> Reporter: Ryan Schmitt
> Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Due to a missing access check, {{LoaderUtil#getClassLoaders}} throws an
> exception when {{getClassLoader}} permissions are unavailable; this in turn
> leads to a failure to initialize the {{PropertiesUtil}} class.
> {noformat} [exec] access: access denied ("java.lang.RuntimePermission"
> "getClassLoader")
> [exec] java.lang.Exception: Stack trace
> [exec] at java.lang.Thread.dumpStack(Thread.java:1340)
> [exec] at
> java.security.AccessControlContext.checkPermission(AccessControlContext.java:462)
> [exec] at
> java.security.AccessController.checkPermission(AccessController.java:886)
> [exec] at
> java.lang.SecurityManager.checkPermission(SecurityManager.java:549)
> [exec] at
> java.lang.ClassLoader.checkClassLoaderPermission(ClassLoader.java:1521)
> [exec] at
> java.lang.ClassLoader.getSystemClassLoader(ClassLoader.java:1435)
> [exec] at
> org.apache.logging.log4j.util.LoaderUtil.getClassLoaders(LoaderUtil.java:114)
> [exec] at
> org.apache.logging.log4j.util.PropertiesUtil$Environment.<init>(PropertiesUtil.java:444)
> [exec] at
> org.apache.logging.log4j.util.PropertiesUtil$Environment.<init>(PropertiesUtil.java:422)
> [exec] at
> org.apache.logging.log4j.util.PropertiesUtil.<init>(PropertiesUtil.java:74)
> [exec] at
> org.apache.logging.log4j.util.PropertiesUtil.<clinit>(PropertiesUtil.java:54)
> [exec] at
> org.apache.logging.log4j.util.Constants.<clinit>(Constants.java:30)
> [exec] at
> org.apache.logging.log4j.spi.AbstractLogger.createClassForProperty(AbstractLogger.java:207)
> [exec] at
> org.apache.logging.log4j.spi.AbstractLogger.<clinit>(AbstractLogger.java:95)
> [exec] at
> org.apache.logging.log4j.LogManager.<clinit>(LogManager.java:60)
> [exec] at org.apache.log4j.Logger.getLogger(Logger.java:41)
> Could not initialize class org.apache.logging.log4j.util.PropertiesUtil
> {noformat}
> It looks like all we need to do is check the {{GET_CLASS_LOADER_DISABLED}}
> field first.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
