[jira] [Commented] (LOG4J2-1226) Message instances are simply serialized. They mustn't.

Mon, 07 Nov 2016 06:55:15 -0800 

    [ 
https://issues.apache.org/jira/browse/LOG4J2-1226?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15644392#comment-15644392
 ] 

Joern Huxhorn commented on LOG4J2-1226:
---------------------------------------

I don't think so...

In the 
{sandbox|https://github.com/huxi/lilith/blob/master/sandbox/log4j2-sandbox/src/main/java/de/huxhorn/lilith/sandbox/Log4j2Sandbox.java},
 the only exceptions I see are those that are produced by 
{{InnerClass.execute()}} and those fed to {{logger.catching}}.

There's also a console appender configured in that sandbox and it behaves 
identical - which would suggest that it isn't necessarily related to 
serialization after all, but still could be.

I was testing against 2.7.1-SNAPSHOT with revision 
{{62ddffd35d828abd4d0b504b32aa9c96ee00a0ca}}. Just try it out yourself. Perhaps 
I'm missing something.

> Message instances are simply serialized. They mustn't.
> ------------------------------------------------------
>
>                 Key: LOG4J2-1226
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-1226
>             Project: Log4j 2
>          Issue Type: Bug
>          Components: API
>    Affects Versions: 2.5
>            Reporter: Joern Huxhorn
>            Assignee: Remko Popma
>             Fix For: 2.8
>
>
> Right now, any Message instance used to call any log method are simply sent 
> as they are.
> Instead, the {{Throwable}} must be transformed into a {{ThrowableProxy}}. 
> Custom {{Message}} implementations must be transformed into one of log4j's 
> standard message implementations and care must be taken to convert the 
> {{Parameters}} {{Object[]}} into {{String[]}} before the message is 
> serialized.
> Otherwise, deserialization will fail if a custom {{Throwable}}, custom 
> {{Message}} or custom parameter is not contained in the classpath of the 
> application receiving the serialized {{LogEvent}}.
> I found those issues while implementing the circumvention for [Apache Commons 
> statement to widespread Java object de-serialisation 
> vulnerability|https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread]
>  in [Lilith|http://lilithapp.com].



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to