[
https://issues.apache.org/jira/browse/LOG4J2-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15066585#comment-15066585
]
Joern Huxhorn commented on LOG4J2-1226:
---------------------------------------
I'd argue that they still can. Just not if they are using Sockets/Serialization
or, for example, a console appender.
Serialization is a fragile beast anyway and with the security vulnerability
linked above deserializing any arbitrary object simply isn't an option anymore.
If such a message is printed to the console then a complex object is converted
to the respective String representation, too.
My "job" with Lilith is to provide a log viewer. Even if the class in question
would be available on my classpath *and* it would have been added to my
[handcrafted
whitelist|https://github.com/huxi/lilith/blob/master/lilith-engine/src/main/java/de/huxhorn/lilith/engine/impl/eventproducer/AbstractStreamEventProducer.java#L64]
of classes allowed during deserialization, I'd still only ever print that
object, i.e. performing the {{toString}} in my code.
Imagine one could send a message to log4j that would close {{System.out}} and
prevent any further console logging. This is the current effect of sending
arbitrary serialized objects.
I don't say that complex (non-standard) objects as parameters or messages are a
bad thing in general. But I'd argue that their behavior with standard log4j
appenders should be well-defined and well-behaved while the scenario you
described (where people want to receive the object itself) would be a case for
a custom appender.
> Message instances are simply serialized. They mustn't.
> ------------------------------------------------------
>
> Key: LOG4J2-1226
> URL: https://issues.apache.org/jira/browse/LOG4J2-1226
> Project: Log4j 2
> Issue Type: Bug
> Components: API
> Affects Versions: 2.5
> Reporter: Joern Huxhorn
>
> Right now, any Message instance used to call any log method are simply sent
> as they are.
> Instead, the {{Throwable}} must be transformed into a {{ThrowableProxy}}.
> Custom {{Message}} implementations must be transformed into one of log4j's
> standard message implementations and care must be taken to convert the
> {{Parameters}} {{Object[]}} into {{String[]}} before the message is
> serialized.
> Otherwise, deserialization will fail if a custom {{Throwable}}, custom
> {{Message}} or custom parameter is not contained in the classpath of the
> application receiving the serialized {{LogEvent}}.
> I found those issues while implementing the circumvention for [Apache Commons
> statement to widespread Java object de-serialisation
> vulnerability|https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread]
> in [Lilith|http://lilithapp.com].
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: log4j-dev-unsubscr...@logging.apache.org
For additional commands, e-mail: log4j-dev-h...@logging.apache.org
