getBeanDefinitionNames should not leak the frozenBeanDefinitionNames array [SPR-14897]

[spring-projects-issues]

Richard Fearn opened SPR-14897 and commented

getBeanDefinitionNames leaks the getBeanDefinitionNames array to callers. It's possible for the caller to modify the array, which affects Spring's internal list of the names of beans in the context.

---

Affects: 4.3.4

Attachments:

• Spr14897Test.java (732 bytes)

Issue Links:

• #17012 DefaultListableBeanFactory should allow efficient access to current bean names
• #19488 DefaultListableBeanFactory.copyConfigurationFrom should provide independent AutowireCandidateResolver instance

[spring-projects-issues]

Juergen Hoeller commented

Good point; we're returning a clone of the array now. To be backported to 4.3.5.

FWIW, in the 4.x line, we have a more efficient getBeanNamesIterator() accessor on ConfigurableListableBeanFactory which is preferably used by Spring Boot already.

[spring-projects-issues]

Richard Fearn commented

FWIW, in the 4.x line, we have a more efficient getBeanNamesIterator() accessor on ConfigurableListableBeanFactory which is preferably used by Spring Boot already.

Thanks - I see that was added in commit 965bea7, though that didn't go into Spring 4.0, which we are currently using (yes, we really need to upgrade!).

The reason I'm getting the list of bean names is so that I can sort them alphabetically, and dump out a list of them for diagnostic purposes - so getting an iterator vs. an array doesn't make a huge amount of difference. Thanks for the suggestion though!