|
|
Issue Type:
|
 Bug
|
|
Affects Versions:
|
1.0.7 |
|
Assignee:
|
Logback dev list
|
|
Attachments:
|
TestTraceApp.zip |
|
Components:
|
logback-classic |
|
Created:
|
02/Oct/12 6:10 PM
|
|
Description:
|
I have an signed applet embedded in a web page.
The applet jar includes :
slf4j-api-1.7.1.jar
logback-classic-1.0.7.jar
logback-core-1.0.7.jar
This sample code is called from the javascript (without elevated privileged) :
public void foo() {
try {
bar();
} catch (Exception e) {
LoggerFactory.getLogger("TestTraceApp").error("Exception caught", e);
}
}
private void bar() throws Exception {
throw new Exception("text");
}
It creates a lot of "trash" in the java console (see attached javaconsole.txt).
The bug seems to be in :
ch.qos.logback.classic.spi.PackagingDataCalculator.bestEffortLoadClass() :
This method tries to call Class.forName() => which requires permissions which the applet does not have.
And in case of exception the code falls back to :
"240 e.printStackTrace(); // this is unexpected"
And the stack trace is displayed for each initial exception frame :(.
Solutions:
1. Catch AccessControlException and simply returning null as we have no rights to call Class.forName() => safest and simplest solution.
2. Call Class.forName() inside an AccessController.doPrivileged() call => but security impacts must be studied.
|
|
Environment:
|
All os, all browsers.
|
|
Project:
|
logback
|
|
Priority:
|
 Major
|
|
Reporter:
|
tomsor
|
|
|
