You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by gg...@apache.org on 2018/03/01 15:30:48 UTC
logging-log4j2 git commit: [LOG4J2-2274] Allow
EnvironmentPropertySource to run with a SecurityManager that rejects
environment variable access.
Repository: logging-log4j2
Updated Branches:
refs/heads/release-2.x fb966eb4e -> e21d127c6
[LOG4J2-2274] Allow EnvironmentPropertySource to run with a
SecurityManager that rejects environment variable access.
Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo
Commit: http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/e21d127c
Tree: http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/e21d127c
Diff: http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/e21d127c
Branch: refs/heads/release-2.x
Commit: e21d127c6a684ba05da7fa2500c733867285a59d
Parents: fb966eb
Author: Gary Gregory <ga...@gmail.com>
Authored: Thu Mar 1 08:30:43 2018 -0700
Committer: Gary Gregory <ga...@gmail.com>
Committed: Thu Mar 1 08:30:43 2018 -0700
----------------------------------------------------------------------
.../log4j/util/EnvironmentPropertySource.java | 19 +++--
...onmentPropertySourceSecurityManagerTest.java | 76 ++++++++++++++++++++
src/changes/changes.xml | 3 +
3 files changed, 94 insertions(+), 4 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/e21d127c/log4j-api/src/main/java/org/apache/logging/log4j/util/EnvironmentPropertySource.java
----------------------------------------------------------------------
diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/util/EnvironmentPropertySource.java b/log4j-api/src/main/java/org/apache/logging/log4j/util/EnvironmentPropertySource.java
index af8c23e..84cec36 100644
--- a/log4j-api/src/main/java/org/apache/logging/log4j/util/EnvironmentPropertySource.java
+++ b/log4j-api/src/main/java/org/apache/logging/log4j/util/EnvironmentPropertySource.java
@@ -26,17 +26,28 @@ import java.util.Map;
* @since 2.10.0
*/
public class EnvironmentPropertySource implements PropertySource {
+
+ private static final String PREFIX = "LOG4J_";
+ private static final int DEFAULT_PRIORITY = -100;
+
@Override
public int getPriority() {
- return -100;
+ return DEFAULT_PRIORITY;
}
@Override
public void forEach(final BiConsumer<String, String> action) {
- for (final Map.Entry<String, String> entry : System.getenv().entrySet()) {
+ final Map<String, String> getenv;
+ try {
+ getenv = System.getenv();
+ } catch (SecurityException e) {
+ // There is no status logger yet.
+ return;
+ }
+ for (final Map.Entry<String, String> entry : getenv.entrySet()) {
final String key = entry.getKey();
- if (key.startsWith("LOG4J_")) {
- action.accept(key.substring(6), entry.getValue());
+ if (key.startsWith(PREFIX)) {
+ action.accept(key.substring(PREFIX.length()), entry.getValue());
}
}
}
http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/e21d127c/log4j-core/src/test/java/org/apache/logging/log4j/util/EnvironmentPropertySourceSecurityManagerTest.java
----------------------------------------------------------------------
diff --git a/log4j-core/src/test/java/org/apache/logging/log4j/util/EnvironmentPropertySourceSecurityManagerTest.java b/log4j-core/src/test/java/org/apache/logging/log4j/util/EnvironmentPropertySourceSecurityManagerTest.java
new file mode 100644
index 0000000..f85d640
--- /dev/null
+++ b/log4j-core/src/test/java/org/apache/logging/log4j/util/EnvironmentPropertySourceSecurityManagerTest.java
@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache license, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the license for the specific language governing permissions and
+ * limitations under the license.
+ */
+
+package org.apache.logging.log4j.util;
+
+import java.security.Permission;
+
+import org.apache.logging.log4j.core.config.builder.api.ConfigurationBuilderFactory;
+import org.junit.Assert;
+import org.junit.Test;
+
+/**
+ * Tests https://issues.apache.org/jira/browse/LOG4J2-2274.
+ *
+ * @see EnvironmentPropertySource
+ * @see SecurityManager
+ * @see System#setSecurityManager(SecurityManager)
+ */
+public class EnvironmentPropertySourceSecurityManagerTest {
+
+ /**
+ * Always throws a SecurityException for any environment variables permission check.
+ */
+ private class TestSecurityManager extends SecurityManager {
+ @Override
+ public void checkPermission(Permission permission) {
+ if ("getenv.*".equals(permission.getName())) {
+ throw new SecurityException();
+ }
+ }
+ }
+
+ /**
+ * Makes sure we do not blow up with exception below due to a security manager rejecting environment variable access
+ * in {@link EnvironmentPropertySource}.
+ *
+ * <pre>
+ * java.lang.NoClassDefFoundError: Could not initialize class org.apache.logging.log4j.util.PropertiesUtil
+ * at org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:78)
+ * at org.apache.logging.log4j.core.AbstractLifeCycle.<clinit>(AbstractLifeCycle.java:38)
+ * at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
+ * at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
+ * at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
+ * at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
+ * at org.apache.logging.log4j.core.config.builder.impl.DefaultConfigurationBuilder.build(DefaultConfigurationBuilder.java:172)
+ * at org.apache.logging.log4j.core.config.builder.impl.DefaultConfigurationBuilder.build(DefaultConfigurationBuilder.java:161)
+ * at org.apache.logging.log4j.core.config.builder.impl.DefaultConfigurationBuilder.build(DefaultConfigurationBuilder.java:1)
+ * at org.apache.logging.log4j.util.EnvironmentPropertySourceSecurityManagerTest.test(EnvironmentPropertySourceSecurityManagerTest.java:55)
+ * </pre>
+ */
+ @Test
+ public void test() {
+ try {
+ SecurityManager securityManager = new TestSecurityManager();
+ System.setSecurityManager(securityManager);
+ } catch (SecurityException se) {
+ // The SecurityManager is already set
+ }
+
+ Assert.assertNotNull(ConfigurationBuilderFactory.newConfigurationBuilder().build());
+ }
+}
http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/e21d127c/src/changes/changes.xml
----------------------------------------------------------------------
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index b8ec985..989e3b3 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -210,6 +210,9 @@
<action issue="LOG4J2-2276" dev="ggregory" type="fix" due-to="Sean Baxter">
ConcurrentModificationException from org.apache.logging.log4j.status.StatusLogger.<clinit>(StatusLogger.java:71).
</action>
+ <action issue="LOG4J2-2274" dev="ggregory" type="fix" due-to="">
+ Allow EnvironmentPropertySource to run with a SecurityManager that rejects environment variable access.
+ </action>
</release>
<release version="2.10.0" date="2017-11-18" description="GA Release 2.10.0">
<action issue="LOG4J2-2120" dev="mikes" type="add" due-to="Carter Douglas Kozak">