A way to disable the optimization for filling the stack traces (#3638)

neboskreb · web-flow · commit db0360d4ce1e · 2025-05-01T08:16:41.000+02:00
* Verifying the capability of PrivateSecurityManager so platforms not (fully) supporting SecurityManager do not poison the stack trace.

* Changelog
diff --git a/log4j-api/src/main/java/org/apache/logging/log4j/util/PrivateSecurityManagerStackTraceUtil.java b/log4j-api/src/main/java/org/apache/logging/log4j/util/PrivateSecurityManagerStackTraceUtil.java
@@ -29,6 +29,35 @@ final class PrivateSecurityManagerStackTraceUtil {
     private static final PrivateSecurityManager SECURITY_MANAGER;
 
     static {
+        PrivateSecurityManager candidate = createPrivateSecurityManager();
+        if (isCapable(candidate)) {
+            SECURITY_MANAGER = candidate;
+        } else {
+            SECURITY_MANAGER = null;
+        }
+    }
+
+    private static boolean isCapable(PrivateSecurityManager candidate) {
+        if (candidate == null) {
+            return false;
+        }
+
+        try {
+            final Class<?>[] result = candidate.getClassContext();
+            if (result == null || result.length == 0) {
+                // This happens e.g. on Android which has real implementation of SecurityManager replaced with merely
+                // stubs. So the PrivateSecurityManager, though can be instantiated, will not produce meaningful
+                // results
+                return false;
+            }
+            // Add more checks here as needed
+            return true;
+        } catch (Exception ignored) {
+            return false;
+        }
+    }
+
+    private static PrivateSecurityManager createPrivateSecurityManager() {
         PrivateSecurityManager psm;
         try {
             final SecurityManager sm = System.getSecurityManager();
@@ -40,7 +69,7 @@ final class PrivateSecurityManagerStackTraceUtil {
             psm = null;
         }
 
-        SECURITY_MANAGER = psm;
+        return psm;
     }
 
     private PrivateSecurityManagerStackTraceUtil() {
diff --git a/src/changelog/.2.x.x/3639_disable_optimization_for_filling_the_stack_trace.xml b/src/changelog/.2.x.x/3639_disable_optimization_for_filling_the_stack_trace.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<entry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xmlns="https://logging.apache.org/xml/ns"
+       xsi:schemaLocation="https://logging.apache.org/xml/ns https://logging.apache.org/xml/ns/log4j-changelog-0.xsd"
+       type="fixed">
+  <issue id="3639" link="https://github.com/apache/logging-log4j2/issues/3639"/>
+  <description format="asciidoc">
+    Verify the capability of SecurityManager so that platforms not (fully) supporting it will not poison the stack trace
+  </description>
+</entry>
