You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@logging.apache.org by mi...@apache.org on 2017/06/28 17:06:17 UTC

logging-log4j2 git commit: LOG4J2-1958 Link to information about serialization security issues

Repository: logging-log4j2
Updated Branches:
  refs/heads/LOG4J2-1958 2d4b2c1bb -> 13b714dea


LOG4J2-1958 Link to information about serialization security issues


Project: http://git-wip-us.apache.org/repos/asf/logging-log4j2/repo
Commit: http://git-wip-us.apache.org/repos/asf/logging-log4j2/commit/13b714de
Tree: http://git-wip-us.apache.org/repos/asf/logging-log4j2/tree/13b714de
Diff: http://git-wip-us.apache.org/repos/asf/logging-log4j2/diff/13b714de

Branch: refs/heads/LOG4J2-1958
Commit: 13b714dea818f3a435247171f86f54754b254236
Parents: 2d4b2c1
Author: Mikael Ståldal <mi...@staldal.nu>
Authored: Wed Jun 28 19:06:11 2017 +0200
Committer: Mikael Ståldal <mi...@staldal.nu>
Committed: Wed Jun 28 19:06:11 2017 +0200

----------------------------------------------------------------------
 .../apache/logging/log4j/core/layout/SerializedLayout.java   | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/logging-log4j2/blob/13b714de/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/SerializedLayout.java
----------------------------------------------------------------------
diff --git a/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/SerializedLayout.java b/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/SerializedLayout.java
index 091e31e..a77e819 100644
--- a/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/SerializedLayout.java
+++ b/log4j-core/src/main/java/org/apache/logging/log4j/core/layout/SerializedLayout.java
@@ -30,9 +30,9 @@ import org.apache.logging.log4j.core.config.plugins.PluginFactory;
 /**
  * Formats a {@link LogEvent} in its Java serialized form.
  *
- * @deprecated Java Serialization has inherent security weaknesses, using this layout is no longer recommended.
- * An alternative layout containing the same information is {@link JsonLayout} when configured with properties="true".
- * Deprecated since 2.9.
+ * @deprecated Java Serialization has inherent security weaknesses, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data .
+ * Using this layout is no longer recommended. An alternative layout containing the same information is
+ * {@link JsonLayout} when configured with properties="true". Deprecated since 2.9.
  */
 @Deprecated
 @Plugin(name = "SerializedLayout", category = Node.CATEGORY, elementType = Layout.ELEMENT_TYPE, printObject = true)
@@ -52,7 +52,7 @@ public final class SerializedLayout extends AbstractLayout<LogEvent> {
 
     private SerializedLayout() {
         super(null, null, null);
-        LOGGER.warn("SerializedLayout is deprecated due to the inherent security weakness in Java Serialization. Consider using another layout, e.g. JsonLayout");
+        LOGGER.warn("SerializedLayout is deprecated due to the inherent security weakness in Java Serialization, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data Consider using another layout, e.g. JsonLayout");
     }
 
     /**