Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Improve diagnostics in SpEL for large array creation #28257

Closed
jhoeller opened this issue Mar 31, 2022 · 2 comments
Closed

Improve diagnostics in SpEL for large array creation #28257

jhoeller opened this issue Mar 31, 2022 · 2 comments
Assignees
Labels
in: core type: backport type: enhancement
Milestone

Comments

@jhoeller
Copy link
Contributor

@jhoeller jhoeller commented Mar 31, 2022

Backport of gh-28145

@jhoeller jhoeller added in: core type: enhancement labels Mar 31, 2022
@jhoeller jhoeller added this to the 5.2.20 milestone Mar 31, 2022
bclozel pushed a commit that referenced this issue Mar 31, 2022
Attempting to create a large array in a SpEL expression can result in
an OutOfMemoryError. Although the JVM recovers from that, the error
message is not very helpful to the user.

This commit improves the diagnostics in SpEL for large array creation
by throwing a SpelEvaluationException with a meaningful error message
in order to improve diagnostics for the user.

Closes gh-28257
@jhoeller jhoeller added the type: backport label Mar 31, 2022
jgallimore pushed a commit to tomitribe/spring-framework that referenced this issue Apr 1, 2022
Attempting to create a large array in a SpEL expression can result in
an OutOfMemoryError. Although the JVM recovers from that, the error
message is not very helpful to the user.

This commit improves the diagnostics in SpEL for large array creation
by throwing a SpelEvaluationException with a meaningful error message
in order to improve diagnostics for the user.

Closes spring-projectsgh-28257
@Maarten-Damen
Copy link

@Maarten-Damen Maarten-Damen commented Apr 5, 2022

Hi @jhoeller,

Am I correctly assuming that this is the fix for CVE-2022-22950? And if so, would it be possible to update the documentation that the fix is also applied to 5.2.20? Since the CVE reports now only mention 5.3.17 as fix version for this CVE.

Some of the documentation mentions:

@sbrannen
Copy link
Member

@sbrannen sbrannen commented Apr 5, 2022

@Maarten-Damen, we have updated the published documentation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
in: core type: backport type: enhancement
Projects
None yet
Development

No branches or pull requests

4 participants