[jira] [Commented] (LOG4J2-1226) Message instances are simply serialized. They mustn't.

Mon, 07 Nov 2016 05:22:08 -0800 

    [ 
https://issues.apache.org/jira/browse/LOG4J2-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15644166#comment-15644166
 ] 

Joern Huxhorn commented on LOG4J2-1226:
---------------------------------------

The fix looks good so far.
All messages of [my little 
sandbox|https://github.com/huxi/lilith/blob/master/sandbox/log4j2-sandbox/src/main/java/de/huxhorn/lilith/sandbox/Log4j2Sandbox.java]
 are now received by Lilith.

I found another issue that may or may not be related to serialization, though:
{code:java}
logger.debug(new FormattedMessage("curly-brackets FormattedMessage {} {} with 
Throwable", new Object[]{"foo", "bar", prepareException()}));
logger.debug(new FormattedMessage("curly-brackets FormattedMessage {} {} with 
explicit Throwable", new Object[]{"foo", "bar"}, new FooException("foo 
exception")));
logger.debug(new FormattedMessage("percent-s FormattedMessage %s %s with 
Throwable", new Object[]{"foo", "bar", prepareException()}));
logger.debug(new LocalizedMessage("LocalizedMessage %s %s with Throwable", new 
Object[]{"foo", "bar", prepareException()}));
logger.debug(new MessageFormatMessage("MessageFormatMessage {0} with 
Throwable", new Foo(), prepareException()));
logger.debug(new ParameterizedMessage("ParameterizedMessage {} with Throwable", 
new Foo(), prepareException()));
logger.debug(new StringFormattedMessage("StringFormattedMessage %s with 
Throwable", new Foo(), prepareException()));
// prepareException() returns a Throwable instance
{code}

None of the Throwables given as arguments above are returned by getThrowable() 
of their respective Message implementation.

Let me know if I should file a different bug for those issues.

> Message instances are simply serialized. They mustn't.
> ------------------------------------------------------
>
>                 Key: LOG4J2-1226
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1226
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: API
>    Affects Versions: 2.5
>            Reporter: Joern Huxhorn
>            Assignee: Remko Popma
>             Fix For: 2.8
>
>
> Right now, any Message instance used to call any log method are simply sent 
> as they are.
> Instead, the {{Throwable}} must be transformed into a {{ThrowableProxy}}. 
> Custom {{Message}} implementations must be transformed into one of log4j's 
> standard message implementations and care must be taken to convert the 
> {{Parameters}} {{Object[]}} into {{String[]}} before the message is 
> serialized.
> Otherwise, deserialization will fail if a custom {{Throwable}}, custom 
> {{Message}} or custom parameter is not contained in the classpath of the 
> application receiving the serialized {{LogEvent}}.
> I found those issues while implementing the circumvention for [Apache Commons 
> statement to widespread Java object de-serialisation 
> vulnerability|https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread]
>  in [Lilith|http://lilithapp.com].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-dev-h...@logging.apache.org

Reply via email to