[logging-log4j-server] 26/32: LOG4J2-2163 Deprecate ObjectInputStreamLogEventBridge

Mon, 28 Nov 2022 21:30:09 -0800 

This is an automated email from the ASF dual-hosted git repository.

rgoers pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/logging-log4j-server.git

commit 017ae95760be63eb9212ee5c450b165d966a67bb
Author: Mikael StÃ¥ldal <[email protected]>
AuthorDate: Fri Dec 29 12:31:25 2017 +0100

    LOG4J2-2163 Deprecate ObjectInputStreamLogEventBridge
---
 .../logging/log4j/server/ObjectInputStreamLogEventBridge.java      | 7 ++++++-
 .../main/java/org/apache/logging/log4j/server/TcpSocketServer.java | 3 +++
 .../main/java/org/apache/logging/log4j/server/UdpSocketServer.java | 2 ++
 3 files changed, 11 insertions(+), 1 deletion(-)

diff --git 
a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
 
b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
index 428ab83..c5ab4eb 100644
--- 
a/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
+++ 
b/log4j-server/src/main/java/org/apache/logging/log4j/server/ObjectInputStreamLogEventBridge.java
@@ -25,10 +25,15 @@ import java.util.List;
 import org.apache.logging.log4j.core.LogEvent;
 import org.apache.logging.log4j.core.LogEventListener;
 import org.apache.logging.log4j.util.FilteredObjectInputStream;
+import org.apache.logging.log4j.core.layout.SerializedLayout;
 
 /**
- * Reads and logs serialized {@link LogEvent} objects from an {@link 
ObjectInputStream}.
+ * Reads and logs serialized {@link LogEvent} objects (created with {@link 
SerializedLayout}) from an {@link ObjectInputStream}.
+ *
+ * @deprecated Java Serialization has inherent security weaknesses, see 
https://www.owasp.org/index.php/Deserialization_of_untrusted_data .
+ * Therefore {@link SerializedLayout} is deprecated, and so is this class. We 
recommend using {@link JsonInputStreamLogEventBridge} instead.
  */
+@Deprecated
 public class ObjectInputStreamLogEventBridge extends 
AbstractLogEventBridge<ObjectInputStream> {
 
     private final List<String> allowedClasses;
diff --git 
a/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java
 
b/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java
index 52eafcc..6d163fe 100644
--- 
a/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java
+++ 
b/log4j-server/src/main/java/org/apache/logging/log4j/server/TcpSocketServer.java
@@ -161,6 +161,7 @@ public class TcpSocketServer<T extends InputStream> extends 
AbstractSocketServer
      * @throws IOException
      *         if an I/O error occurs when opening the socket.
      */
+    @Deprecated
     public static TcpSocketServer<ObjectInputStream> 
createSerializedSocketServer(final int port) throws IOException {
         LOGGER.entry(port);
         final TcpSocketServer<ObjectInputStream> socketServer = new 
TcpSocketServer<>(port, new ObjectInputStreamLogEventBridge());
@@ -181,6 +182,7 @@ public class TcpSocketServer<T extends InputStream> extends 
AbstractSocketServer
      *         if an I/O error occurs when opening the socket.
      * @since 2.7
      */
+    @Deprecated
     public static TcpSocketServer<ObjectInputStream> 
createSerializedSocketServer(final int port, final int backlog,
             final InetAddress localBindAddress) throws IOException {
         return createSerializedSocketServer(port, backlog, localBindAddress, 
Collections.<String>emptyList());
@@ -201,6 +203,7 @@ public class TcpSocketServer<T extends InputStream> extends 
AbstractSocketServer
      *         if an I/O error occurs when opening the socket.
      * @since 2.8.2
      */
+    @Deprecated
     public static TcpSocketServer<ObjectInputStream> 
createSerializedSocketServer(
         final int port, final int backlog, final InetAddress localBindAddress, 
final List<String> allowedClasses
     ) throws IOException {
diff --git 
a/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java
 
b/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java
index 8f53e03..17a7cdd 100644
--- 
a/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java
+++ 
b/log4j-server/src/main/java/org/apache/logging/log4j/server/UdpSocketServer.java
@@ -61,6 +61,7 @@ public class UdpSocketServer<T extends InputStream> extends 
AbstractSocketServer
      * @throws IOException
      *             if an I/O error occurs when opening the socket.
      */
+    @Deprecated
     public static UdpSocketServer<ObjectInputStream> 
createSerializedSocketServer(final int port) throws IOException {
         return new UdpSocketServer<>(port, new 
ObjectInputStreamLogEventBridge());
     }
@@ -74,6 +75,7 @@ public class UdpSocketServer<T extends InputStream> extends 
AbstractSocketServer
      * @throws IOException if an I/O error occurs when opening the socket.
      * @since 2.8.2
      */
+    @Deprecated
     public static UdpSocketServer<ObjectInputStream> 
createSerializedSocketServer(final int port,
                                                                                
   final List<String> allowedClasses)
         throws IOException {

Reply via email to