Repository: logging-log4j-tools Updated Branches: refs/heads/master 9b93b3fb5 -> afa3230de
LOG4J2-2163 Deprecate ObjectInputStreamLogEventBridge Project: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/repo Commit: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/commit/017ae957 Tree: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/tree/017ae957 Diff: http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/diff/017ae957 Branch: refs/heads/master Commit: 017ae95760be63eb9212ee5c450b165d966a67bb Parents: 9b93b3f Author: Mikael Ståldal <mik...@staldal.nu> Authored: Fri Dec 29 12:31:25 2017 +0100 Committer: Mikael Ståldal <mik...@staldal.nu> Committed: Fri Dec 29 12:31:25 2017 +0100 ---------------------------------------------------------------------- .../logging/log4j/server/ObjectInputStreamLogEventBridge.java | 7 ++++++- .../java/org/apache/logging/log4j/server/TcpSocketServer.java | 3 +++ .../java/org/apache/logging/log4j/server/UdpSocketServer.java | 2 ++ 3 files changed, 11 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/blob/017ae957/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java ---------------------------------------------------------------------- diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java index 428ab83..c5ab4eb 100644 --- a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java +++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java @@ -25,10 +25,15 @@ import java.util.List; import org.apache.logging.log4j.core.LogEvent; import org.apache.logging.log4j.core.LogEventListener; import org.apache.logging.log4j.util.FilteredObjectInputStream; +import org.apache.logging.log4j.core.layout.SerializedLayout; /** - * Reads and logs serialized {@link LogEvent} objects from an {@link ObjectInputStream}. + * Reads and logs serialized {@link LogEvent} objects (created with {@link SerializedLayout}) from an {@link ObjectInputStream}. + * + * @deprecated Java Serialization has inherent security weaknesses, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data . + * Therefore {@link SerializedLayout} is deprecated, and so is this class. We recommend using {@link JsonInputStreamLogEventBridge} instead. */ +@Deprecated public class ObjectInputStreamLogEventBridge extends AbstractLogEventBridge<ObjectInputStream> { private final List<String> allowedClasses; http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/blob/017ae957/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java ---------------------------------------------------------------------- diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java index 52eafcc..6d163fe 100644 --- a/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java +++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java @@ -161,6 +161,7 @@ public class TcpSocketServer<T extends InputStream> extends AbstractSocketServer * @throws IOException * if an I/O error occurs when opening the socket. */ + @Deprecated public static TcpSocketServer<ObjectInputStream> createSerializedSocketServer(final int port) throws IOException { LOGGER.entry(port); final TcpSocketServer<ObjectInputStream> socketServer = new TcpSocketServer<>(port, new ObjectInputStreamLogEventBridge()); @@ -181,6 +182,7 @@ public class TcpSocketServer<T extends InputStream> extends AbstractSocketServer * if an I/O error occurs when opening the socket. * @since 2.7 */ + @Deprecated public static TcpSocketServer<ObjectInputStream> createSerializedSocketServer(final int port, final int backlog, final InetAddress localBindAddress) throws IOException { return createSerializedSocketServer(port, backlog, localBindAddress, Collections.<String>emptyList()); @@ -201,6 +203,7 @@ public class TcpSocketServer<T extends InputStream> extends AbstractSocketServer * if an I/O error occurs when opening the socket. * @since 2.8.2 */ + @Deprecated public static TcpSocketServer<ObjectInputStream> createSerializedSocketServer( final int port, final int backlog, final InetAddress localBindAddress, final List<String> allowedClasses ) throws IOException { http://git-wip-us.apache.org/repos/asf/logging-log4j-tools/blob/017ae957/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java ---------------------------------------------------------------------- diff --git a/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java b/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java index 8f53e03..17a7cdd 100644 --- a/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java +++ b/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java @@ -61,6 +61,7 @@ public class UdpSocketServer<T extends InputStream> extends AbstractSocketServer * @throws IOException * if an I/O error occurs when opening the socket. */ + @Deprecated public static UdpSocketServer<ObjectInputStream> createSerializedSocketServer(final int port) throws IOException { return new UdpSocketServer<>(port, new ObjectInputStreamLogEventBridge()); } @@ -74,6 +75,7 @@ public class UdpSocketServer<T extends InputStream> extends AbstractSocketServer * @throws IOException if an I/O error occurs when opening the socket. * @since 2.8.2 */ + @Deprecated public static UdpSocketServer<ObjectInputStream> createSerializedSocketServer(final int port, final List<String> allowedClasses) throws IOException {
