[logback-dev] [JIRA] (LOGBACK-1347) HardenedObjectInputStream can't handle multiple markers

QOS.CH (JIRA) noreply-jira at qos.ch
Fri Oct 13 00:11:00 CEST 2017

Nathan Jensen created LOGBACK-1347:

             Summary: HardenedObjectInputStream can't handle multiple markers
                 Key: LOGBACK-1347
                 URL: https://jira.qos.ch/browse/LOGBACK-1347
             Project: logback
          Issue Type: Bug
          Components: logback-classic, logback-core
    Affects Versions: 1.2.0
            Reporter: Nathan Jensen
            Assignee: Logback dev list

I have an application that uses logback classic's SocketAppender to send events to a separate logging process.  The separate process is using logback classic's ServerSocketReceiver and then tracks details about the events.  With logback 1.2 it stopped working and the receiving process started outputting: "java.io.InvalidClassException: Unauthorized deserialization attempt; [Ljava.lang.Object;".  Trying to track it down I finally found that it happened when I had two or more Markers on the event.  Specifically with code such as:

Marker marker = MarkerFactory.getDetachedMarker(processName);

Tracing further, the error message comes from logback core's HardenedObjectInputStream.resolveClass(ObjectStreamClass).  The related class HardenedLoggingEventInputStream has a whitelist of accepted classnames that includes org.slf4j.helpers.BasicMarker but not Object[].  When the sending application code calls BasicMarker.add(Marker), the BasicMarker will create a new internal Vector.  That Vector has the field elementData of type Object[] which gets serialized in the sending process.  Then the receiving process does not accept Object[] during deserialization and produces the error above.

In short, I can't have two slf4j Markers on an event and send it across with serialization with logback classic's SocketAppender and ServerSocketReceiver.

This message was sent by Atlassian JIRA

More information about the logback-dev mailing list