From 63c5957dc83c106766629543e9484dbae10128dd Mon Sep 17 00:00:00 2001 From: Cesar Hernandez Date: Mon, 4 Nov 2024 15:14:26 -0600 Subject: [PATCH] backported commit #23656ae Use Locale.ROOT consistently for toLower/toUpperCase to mitigate CVE-2024-38820 --- .../java/org/springframework/validation/DataBinder.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/spring-context/src/main/java/org/springframework/validation/DataBinder.java b/spring-context/src/main/java/org/springframework/validation/DataBinder.java index c2e5ecfa3b07..3d1902f40e3b 100644 --- a/spring-context/src/main/java/org/springframework/validation/DataBinder.java +++ b/spring-context/src/main/java/org/springframework/validation/DataBinder.java @@ -23,6 +23,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Map; import org.apache.commons.logging.Log; @@ -482,7 +483,8 @@ public void setDisallowedFields(@Nullable String... disallowedFields) { else { String[] fieldPatterns = new String[disallowedFields.length]; for (int i = 0; i < fieldPatterns.length; i++) { - fieldPatterns[i] = PropertyAccessorUtils.canonicalPropertyName(disallowedFields[i]).toLowerCase(); + String field = PropertyAccessorUtils.canonicalPropertyName(disallowedFields[i]); + fieldPatterns[i] = field.toLowerCase(Locale.ROOT); } this.disallowedFields = fieldPatterns; } @@ -825,7 +827,7 @@ protected boolean isAllowed(String field) { String[] allowed = getAllowedFields(); String[] disallowed = getDisallowedFields(); return ((ObjectUtils.isEmpty(allowed) || PatternMatchUtils.simpleMatch(allowed, field)) && - (ObjectUtils.isEmpty(disallowed) || !PatternMatchUtils.simpleMatch(disallowed, field.toLowerCase()))); + (ObjectUtils.isEmpty(disallowed) || !PatternMatchUtils.simpleMatch(disallowed, field.toLowerCase(Locale.ROOT)))); } /**