<style>
/* Changing the layout to use less space for mobiles */
@media screen and (max-device-width: 480px), screen and (-webkit-min-device-pixel-ratio: 2) {
#email-body { min-width: 30em !important; }
#email-page { padding: 8px !important; }
#email-banner { padding: 8px 8px 0 8px !important; }
#email-avatar { margin: 1px 8px 8px 0 !important; padding: 0 !important; }
#email-fields { padding: 0 8px 8px 8px !important; }
#email-gutter { width: 0 !important; }
}
</style>
<div id="email-body">
<table id="email-wrap" align="center" border="0" cellpadding="0" cellspacing="0" style="background-color:#f0f0f0;color:#000000;width:100%;">
<tr valign="top">
<td id="email-page" style="padding:16px !important;">
<table align="center" border="0" cellpadding="0" cellspacing="0" style="background-color:#ffffff;border:1px solid #bbbbbb;color:#000000;width:100%;">
<tr valign="top">
<td bgcolor="#003366" style="background-color:#003366;color:#ffffff;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;line-height:1;"><img src="http://jira.qos.ch/s/en_USb9v8he-418945332/850/25/_/jira-logo-scaled.png" alt="" style="vertical-align:top;" /></td>
</tr><tr valign="top">
<td id="email-banner" style="padding:32px 32px 0 32px;">
<table align="left" border="0" cellpadding="0" cellspacing="0" width="100%" style="width:100%;">
<tr valign="top">
<td style="color:#505050;font-family:Arial,FreeSans,Helvetica,sans-serif;padding:0;">
<img id="email-avatar" src="http://jira.qos.ch/secure/useravatar?avatarId=10122" alt="" height="48" width="48" border="0" align="left" style="padding:0;margin: 0 16px 16px 0;" />
<div id="email-action" style="padding: 0 0 8px 0;font-size:12px;line-height:18px;">
<a class="user-hover" rel="christian" id="email_christian" href="http://jira.qos.ch/secure/ViewProfile.jspa?name=christian" style="color:#326ca6;">Christian Brensing</a>
created <img src="http://jira.qos.ch/images/icons/issuetypes/bug.png" height="16" width="16" border="0" align="absmiddle" alt="Bug"> <a style='color:#326ca6;text-decoration:none;' href='http://jira.qos.ch/browse/LOGBACK-869'>LOGBACK-869</a>
</div>
<div id="email-summary" style="font-size:16px;line-height:20px;padding:2px 0 16px 0;">
<a style='color:#326ca6;text-decoration:none;' href='http://jira.qos.ch/browse/LOGBACK-869'><strong>File rolling causes SecurityException if the caller stack contains unstrusted domains</strong></a>
</div>
</td>
</tr>
</table>
</td>
</tr>
<tr valign="top">
<td id="email-fields" style="padding:0 32px 32px 32px;">
<table border="0" cellpadding="0" cellspacing="0" style="padding:0;text-align:left;width:100%;" width="100%">
<tr valign="top">
<td id="email-gutter" style="width:64px;white-space:nowrap;"></td>
<td>
<table border="0" cellpadding="0" cellspacing="0" width="100%">
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Issue Type:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<img src="http://jira.qos.ch/images/icons/issuetypes/bug.png" height="16" width="16" border="0" align="absmiddle" alt="Bug"> Bug
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Assignee:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<a class="user-hover" rel="logback-dev@qos.ch" id="email_logback-dev@qos.ch" href="http://jira.qos.ch/secure/ViewProfile.jspa?name=logback-dev%40qos.ch" style="color:#326ca6;">Logback dev list</a>
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Components:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
logback-core </td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Created:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
22/May/13 3:21 PM
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Description:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<p style='margin-top:0;margin-bottom:10px;'>If Java-Security is enabled and the log message that triggers the file rolling (e.g. because the file size limit has been reached) has been written by code from an untrusted domain, an <tt>AccessControlException</tt> is thrown if the callers domain does not have the necessary privileges to rollover the logfile (read, write). That's because <b>every</b> domain in the call stack must have the required privileges.</p>
<p style='margin-top:0;margin-bottom:10px;'>Example:</p>
<ul>
<li>Security is enabled.</li>
<li>A log message is written (or an <tt>ILoggingEvent</tt> is fired) by unstrusted code.</li>
<li><b>This</b> <img class="emoticon" src="http://jira.qos.ch/images/icons/emoticons/warning.gif" height="16" width="16" align="absmiddle" alt="" border="0"/> event causes the file rollover.</li>
<li><tt>SecurityException</tt> is thrown, because the logger call is in the rollover call stack.</li>
</ul>
<div class="code panel" style="border-width: 1px;"><div class="codeHeader panelHeader" style="border-bottom-width: 1px;"><b>Excerpt from StatusPrinter</b></div><div class="codeContent panelContent">
<pre class="code-java">
ERROR in ch.qos.logback.core.rolling.RollingFileAppender[FOO] - Appender [FOO] failed to append. java.security.AccessControlException: access denied (<span class="code-quote">"java.io.FilePermission"</span> <span class="code-quote">"/home/christian/foo/bar/logs/foo.log"</span> <span class="code-quote">"read"</span>)
at java.security.AccessControlException: access denied (<span class="code-quote">"java.io.FilePermission"</span> <span class="code-quote">"/home/christian/foo/bar/logs/foo.log"</span> <span class="code-quote">"read"</span>)
at at java.security.AccessControlContext.checkPermission(AccessControlContext.java:366)
at at org.eclipse.osgi.internal.permadmin.EquinoxSecurityManager.internalCheckPermission(EquinoxSecurityManager.java:117)
at at org.eclipse.osgi.internal.permadmin.EquinoxSecurityManager$CheckPermissionAction.run(EquinoxSecurityManager.java:60)
at at java.security.AccessController.doPrivileged(Native Method)
at at org.eclipse.osgi.internal.permadmin.EquinoxSecurityManager.checkPermission(EquinoxSecurityManager.java:88)
at at org.eclipse.osgi.internal.permadmin.EquinoxSecurityManager.checkPermission(EquinoxSecurityManager.java:186)
at at java.lang.<span class="code-object">SecurityManager</span>.checkRead(<span class="code-object">SecurityManager</span>.java:888)
at at java.io.File.length(File.java:910)
at at ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy.isTriggeringEvent(SizeBasedTriggeringPolicy.java:59)
at at ch.qos.logback.core.rolling.RollingFileAppender.subAppend(RollingFileAppender.java:170)
at at ch.qos.logback.core.OutputStreamAppender.append(OutputStreamAppender.java:103)
at at ch.qos.logback.core.UnsynchronizedAppenderBase.doAppend(UnsynchronizedAppenderBase.java:88)
at at ch.qos.logback.core.spi.AppenderAttachableImpl.appendLoopOnAppenders(AppenderAttachableImpl.java:48)
at at ch.qos.logback.classic.Logger.appendLoopOnAppenders(Logger.java:272)
at at ch.qos.logback.classic.Logger.callAppenders(Logger.java:259)
at at ch.qos.logback.classic.Logger.buildLoggingEventAndAppend(Logger.java:441)
at at ch.qos.logback.classic.Logger.filterAndLog_1(Logger.java:413)
at at ch.qos.logback.classic.Logger.info(Logger.java:603)
at at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at at java.lang.reflect.Method.invoke(Method.java:601)
at at org.jruby.javasupport.JavaMethod.invokeDirectWithExceptionHandling(JavaMethod.java:425)
at at org.jruby.javasupport.JavaMethod.invokeDirect(JavaMethod.java:292)
...
</pre>
</div></div>
<p style='margin-top:0;margin-bottom:10px;'><img class="emoticon" src="http://jira.qos.ch/images/icons/emoticons/information.gif" height="16" width="16" align="absmiddle" alt="" border="0"/> In this example the untrusted code domain is <tt>JRuby</tt>, which has evaluated a script that wrote a log message.</p>
<p style='margin-top:0;margin-bottom:10px;'>This issue can be solved by marking the rollover call from within the LOGBack domain as <em>privileged</em> using <tt>AccessController.doPrivileged()</tt>. As the rollover is actually triggered in <tt>RollingFileAppender#subAppend(E event)</tt> this should be straightforward. Instead of</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
<span class="code-keyword">if</span> (triggeringPolicy.isTriggeringEvent(currentlyActiveFile, event)) {
rollover();
}
</pre>
</div></div>
<p style='margin-top:0;margin-bottom:10px;'>we could use</p>
<div class="code panel" style="border-width: 1px;"><div class="codeContent panelContent">
<pre class="code-java">
AccessController.doPrivileged(<span class="code-keyword">new</span> PrivilegedAction<<span class="code-object">Void</span>>() {
@Override
<span class="code-keyword">public</span> <span class="code-object">Void</span> run() {
<span class="code-keyword">if</span> (triggeringPolicy.isTriggeringEvent(currentlyActiveFile, event)) {
rollover();
}
<span class="code-keyword">return</span> <span class="code-keyword">null</span>;
}
});
</pre>
</div></div>
<p style='margin-top:0;margin-bottom:10px;'>to mark both the file read access in <tt>triggeringPolicy.isTriggeringEvent()</tt> as well as the write access in <tt>rollover()</tt> as <em>privileged</em>.</p>
<p style='margin-top:0;margin-bottom:10px;'><img class="emoticon" src="http://jira.qos.ch/images/icons/emoticons/check.gif" height="16" width="16" align="absmiddle" alt="" border="0"/> I will provide a simple pull request to fix this issue.</p>
</td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Project:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<a style="color:#326ca6;" href="http://jira.qos.ch/browse/LOGBACK">logback</a>
</td>
</tr> <tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Priority:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<img src="http://jira.qos.ch/images/icons/priorities/major.png" height="16" width="16" border="0" align="absmiddle" alt="Major"> Major
</td>
</tr>
<tr valign="top">
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 10px 10px 0;white-space:nowrap;">
<strong style="font-weight:normal;color:#505050;">Reporter:</strong>
</td>
<td style="color:#000000;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:12px;padding:0 0 10px 0;width:100%;">
<a class="user-hover" rel="christian" id="email_christian" href="http://jira.qos.ch/secure/ViewProfile.jspa?name=christian" style="color:#326ca6;">Christian Brensing</a>
</td>
</tr> </table>
</td>
</tr>
</table>
</td>
</tr>
</table>
</td><!-- End #email-page -->
</tr>
<tr valign="top">
<td style="color:#505050;font-family:Arial,FreeSans,Helvetica,sans-serif;font-size:10px;line-height:14px;padding: 0 16px 16px 16px;text-align:center;">
This message is automatically generated by JIRA.<br />
If you think it was sent incorrectly, please contact your JIRA administrators<br />
For more information on JIRA, see: <a style='color:#326ca6;' href='http://www.atlassian.com/software/jira'>http://www.atlassian.com/software/jira</a>
</td>
</tr>
</table><!-- End #email-wrap -->
</div><!-- End #email-body -->