[GitHub] [logging-log4j2] boris-unckel commented on pull request #1006: LOG4J2-3579 Add privileged execution for ServiceLoading

[GitBox <gi...@apache.org>]

boris-unckel commented on PR #1006:
URL: https://github.com/apache/logging-log4j2/pull/1006#issuecomment-1221502184

   @ppkarwasz 
   
   > Since `AccessController#doPrivileged` is another caller sensitive method, I think that your PR should do the same and call it through `MethodHandles.Lookup`.
   
   Thanks for your feedback. I have changed this accordingly.
   
   I have serious doubts the current fix is a good idea in general. Obviously addressing Java 8 and Java 11 consumers the SecurityManager is a must have, causing a regression between 2.17.2 and 2.18. I would expect a major version jump indicating a "no support" situation including explicit documentation. But:
   
   The class is available to all the user land: It makes it possible to run code (service loading) with privileged rights (in terms of WildFly: server side - "AllPermission"). Now "all world" can load any Service (even remote?). I have not tested it yet, but I would assume it is better to fix it at all current usage points of the public methods. Then only fixed Services can be loaded privileged, but not any. (For WildFly it would be only for classes visible for the log4j2 module loader).


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@logging.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org