New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LOG4J2-3228 - Remove support for java.io.Serializable #1199
Conversation
This removes Serializable from various APIs including Message, Layout, LogEvent, Logger, and ReadOnlyStringMap. Java serialization is a security hazard. Messages and LogEvents already have numerous alternatives for generic serialization which should be used instead.
Alright, @garydgregory, I've removed the unnecessary generic parameter. However, this raises a cleanup issue: we now have |
Also removes generic parameter from Layout as it's no longer useful Signed-off-by: Matt Sicker <mattsicker@apache.org>
import java.util.Objects; | ||
|
||
/** | ||
* The internal representation of caller location information. | ||
* | ||
* @since 0.8.3 | ||
*/ | ||
public class LocationInfo implements Serializable { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am not sure we ca remove these, since we need to maintain compatibility with Log4j 1.2.
@@ -115,28 +108,14 @@ private boolean equalObjectsOrStrings(final Object left, final Object right) { | |||
|
|||
@Override | |||
public int hashCode() { | |||
return obj != null ? obj.hashCode() : 0; | |||
return obj.hashCode(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are we certain nobody calls new ObjectMessage(null)
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
public ObjectMessage(final Object obj) {
this.obj = obj == null ? "null" : obj;
}
Doesn't matter if they do.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I scrolled through about half of the modified files, but it looks good to me.
I'm currently running the tests to make sure the revert of |
Signed-off-by: Matt Sicker <mattsicker@apache.org>
This removes Serializable from various APIs including Message, Layout, LogEvent, Logger, and ReadOnlyStringMap. Java serialization is a security hazard. Messages and LogEvents already have numerous alternatives for generic serialization which should be used instead.