I added some minimal code in the escape pattern converter for handling JSON string encoding. We can probably include a minimal JSON serialization "library" inside log4j-core which could also be included in the general GC-free ecosystem we have going on.
On 2 May 2017 at 10:14, Mikael Ståldal <[email protected]> wrote: > Oh, I did not think about that aspect. Both JsonLayout and a potential new > AvroLayout (will) have external dependency. > > Without external dependency, we currently have GelfLayout, PatternLayout > and RFC5424Layout. > > GelfLayout and RFC5424Layout would be useful in some cases, but they do not > have all information present in SerializedLayout and JsonLayout. > > RFC5424Layout and PatternLayout can be configured to include all > information, but that's quite involved. > > On Tue, May 2, 2017 at 4:11 PM, Remko Popma <[email protected]> wrote: > > > What layout do we have available that does not require an external > > dependency? > > > > On Tue, May 2, 2017 at 8:38 PM, Mikael Ståldal < > [email protected]> > > wrote: > > > > > Given the inherent security problems with Java object serialization > > > (highlighted by CVE-2017-5645), I do suggest that we deprecate > > > SerializedLayout and remove it as default for SocketAppender, and all > > other > > > appenders which currently have it as default. (We can still keep > > > SerializedLayout, with a warning about security issues in > documentation, > > > but users will have to enable it explicitly.) > > > > > > Some people have missed the fact that you can configure SocketAppender > > with > > > another layout. > > > > > > I suggest we do this in the 2.9 release. > > > > > > I know this will break some existing configurations, but given the > > security > > > problems, I think that is a price we have to pay in this case. > > > > > > We have a JIRA ticket for a new Avro based binary layout: > > > https://issues.apache.org/jira/browse/LOG4J2-1871 > > > > > > If we implement that in time for 2.9, we can recommend it as a > > replacement > > > for SerializedLayout. If not, we could recommend JsonLayout which > should > > > contain all necessary information. > > > > > > -- > > > [image: MagineTV] > > > > > > *Mikael Ståldal* > > > Senior software developer > > > > > > *Magine TV* > > > [email protected] > > > Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > > > > > > Privileged and/or Confidential Information may be contained in this > > > message. If you are not the addressee indicated in this message > > > (or responsible for delivery of the message to such a person), you may > > not > > > copy or deliver this message to anyone. In such case, > > > you should destroy this message and kindly notify the sender by reply > > > email. > > > > > > > > > -- > [image: MagineTV] > > *Mikael Ståldal* > Senior software developer > > *Magine TV* > [email protected] > Grev Turegatan 3 | 114 46 Stockholm, Sweden | www.magine.com > > Privileged and/or Confidential Information may be contained in this > message. If you are not the addressee indicated in this message > (or responsible for delivery of the message to such a person), you may not > copy or deliver this message to anyone. In such case, > you should destroy this message and kindly notify the sender by reply > email. > -- Matt Sicker <[email protected]>
