1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.apache.logging.log4j.core.layout;
18
19 import java.io.ByteArrayOutputStream;
20 import java.io.IOException;
21 import java.io.ObjectOutputStream;
22 import java.io.OutputStream;
23
24 import org.apache.logging.log4j.core.Layout;
25 import org.apache.logging.log4j.core.LogEvent;
26 import org.apache.logging.log4j.core.config.Node;
27 import org.apache.logging.log4j.core.config.plugins.Plugin;
28 import org.apache.logging.log4j.core.config.plugins.PluginFactory;
29
30
31
32
33
34
35
36
37 @Deprecated
38 @Plugin(name = "SerializedLayout", category = Node.CATEGORY, elementType = Layout.ELEMENT_TYPE, printObject = true)
39 public final class SerializedLayout extends AbstractLayout<LogEvent> {
40
41 private static byte[] serializedHeader;
42
43 static {
44 final ByteArrayOutputStream baos = new ByteArrayOutputStream();
45 try {
46 new ObjectOutputStream(baos).close();
47 serializedHeader = baos.toByteArray();
48 } catch (final Exception ex) {
49 LOGGER.error("Unable to generate Object stream header", ex);
50 }
51 }
52
53 private SerializedLayout() {
54 super(null, null, null);
55 LOGGER.warn("SerializedLayout is deprecated due to the inherent security weakness in Java Serialization, see https://www.owasp.org/index.php/Deserialization_of_untrusted_data Consider using another layout, e.g. JsonLayout");
56 }
57
58
59
60
61
62
63
64 @Override
65 public byte[] toByteArray(final LogEvent event) {
66 final ByteArrayOutputStream baos = new ByteArrayOutputStream();
67 try (final ObjectOutputStream oos = new PrivateObjectOutputStream(baos)) {
68 oos.writeObject(event);
69 oos.reset();
70 } catch (final IOException ioe) {
71 LOGGER.error("Serialization of LogEvent failed.", ioe);
72 }
73 return baos.toByteArray();
74 }
75
76
77
78
79
80
81
82 @Override
83 public LogEvent toSerializable(final LogEvent event) {
84 return event;
85 }
86
87
88
89
90
91 @Deprecated
92 @PluginFactory
93 public static SerializedLayout createLayout() {
94 return new SerializedLayout();
95 }
96
97 @Override
98 public byte[] getHeader() {
99 return serializedHeader;
100 }
101
102
103
104
105
106 @Override
107 public String getContentType() {
108 return "application/octet-stream";
109 }
110
111
112
113
114 private class PrivateObjectOutputStream extends ObjectOutputStream {
115
116 public PrivateObjectOutputStream(final OutputStream os) throws IOException {
117 super(os);
118 }
119
120 @Override
121 protected void writeStreamHeader() {
122
123 }
124 }
125 }