Uploaded image for project: 'SLF4J'
  1. SLF4J
  2. SLF4J-172

SLF4JLogFactory#getInstance(String) should not use "this" lock

    XMLWordPrintable

Details

    • Icon: Bug Bug
    • Resolution: Fixed
    • None
    • 1.5.x
    • jcl-over-slf4j
    • None

    • Operating System: All
      Platform: All

    Description

      org.apache.commons.logging.impl. SLF4JLogFactory

      The class is open to a denial-of-service attack:

      public Log getInstance(String name) throws LogConfigurationException {
      ...
      synchronized (this)

      { ... }

      ...
      }

      @@@@

      import java.util.concurrent.ExecutorService;
      import java.util.concurrent.Executors;

      import org.apache.commons.logging.LogFactory;

      public class Test {

      public static void main(String[] args) {
      ExecutorService pool = Executors.newCachedThreadPool();
      pool.execute(new Runnable() {
      public void run() {
      synchronized (LogFactory.getFactory())

      { while (true); }

      }
      });
      pool.execute(new Runnable() {
      public void run()

      { System.out.println("Logged?"); LogFactory.getLog("test").info("logged"); }

      });
      }
      }

      @@@@

      Use either:

      private final Object lock = new Object();

      synchronized(lock)

      or:

      synchronized(loggerMap)

      @@

      see also:

      Bloch, Joshua. Effective Java (Second Edition). Sun Microsystems Press/Prentice-Hall, 2008. 280.

      Attachments

        Activity

          People

            slf4j-dev SLF4J developers list
            sdavids@gmx.de Sebastian Davids
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: