From c167007096e3a29c201f39faa41b5fed4997e022 Mon Sep 17 00:00:00 2001 From: Cesar Hernandez Date: Tue, 29 Oct 2024 13:24:37 -0600 Subject: [PATCH] backported commit #23656ae Use Locale.ROOT consistently for toLower/toUpperCase to mitigate CVE-2024-38820 --- .../java/org/springframework/validation/DataBinder.java | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/spring-context/src/main/java/org/springframework/validation/DataBinder.java b/spring-context/src/main/java/org/springframework/validation/DataBinder.java index be21247903bf..48f23f7f548a 100644 --- a/spring-context/src/main/java/org/springframework/validation/DataBinder.java +++ b/spring-context/src/main/java/org/springframework/validation/DataBinder.java @@ -23,6 +23,7 @@ import java.util.Collections; import java.util.HashMap; import java.util.List; +import java.util.Locale; import java.util.Map; import java.util.Optional; @@ -478,7 +479,8 @@ public void setDisallowedFields(String... disallowedFields) { else { String[] fieldPatterns = new String[disallowedFields.length]; for (int i = 0; i < fieldPatterns.length; i++) { - fieldPatterns[i] = PropertyAccessorUtils.canonicalPropertyName(disallowedFields[i]).toLowerCase(); + String field = PropertyAccessorUtils.canonicalPropertyName(disallowedFields[i]); + fieldPatterns[i] = field.toLowerCase(Locale.ROOT); } this.disallowedFields = fieldPatterns; } @@ -812,7 +814,7 @@ protected boolean isAllowed(String field) { String[] allowed = getAllowedFields(); String[] disallowed = getDisallowedFields(); return ((ObjectUtils.isEmpty(allowed) || PatternMatchUtils.simpleMatch(allowed, field)) && - (ObjectUtils.isEmpty(disallowed) || !PatternMatchUtils.simpleMatch(disallowed, field.toLowerCase()))); + (ObjectUtils.isEmpty(disallowed) || !PatternMatchUtils.simpleMatch(disallowed, field.toLowerCase(Locale.ROOT)))); } /**