grails-core icon indicating copy to clipboard operation
grails-core copied to clipboard

Published 20 hours ago verified publisher icon grails

Remove logback.groovy configuration (incompatible with logback 1.2.9)

Open arixmkii opened this issue 3 years ago • 4 comments
trafficstars

Logback dropped support for grooovy configuration since 1.2.9.

Details info could be found in news for Dec 16, 2021 http://logback.qos.ch/news.html

There are a lot of mentions of this way for configuring logs in documentation and probably also in templates. Better to remove them.

Current result - application will fail to run (including integration tests) if logback is updated to 1.2.9

arixmkii avatar Dec 20 '21 15:12 arixmkii

Just to mention, update to Logback 1.2.9 is desirable since the recent CVE-2021-42550 affecting Logback 1.2.7 and older.

yuri1969 avatar Jan 04 '22 13:01 yuri1969

There were some discussions from Logback JIRA , grails framework nead to support backward compatibility.

Spring Boot 2.6.2 use Logback 1.2.9 now, so if Grails 5.1.2 upgrade to Spring Boot 2.6.2, it would cause some errors with logback.

rainboyan avatar Jan 05 '22 07:01 rainboyan

Logback still supports programmatic configuration. Grails could:

  1. Implement logback's com.qos.logback.classic.spi.Configurator that looks for the old groovy file
  2. Use a groovy dsl to generate the xml logback expects
  3. Inform users that the first option above is left up to end-users now

jdaugherty avatar Jan 05 '22 17:01 jdaugherty

Is it just me, or is arbitrary code execution when you have access to the server's files, a non-issue?

chrisbitmead avatar Feb 07 '22 08:02 chrisbitmead