Make stricter IP format check in IpAddressMatcher

therepanic · therepanic · commit 9ed6789f5d51 · 2025-07-09T02:14:03.000+03:00
Closes: gh-17499 Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>
diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
@@ -35,11 +35,12 @@
  *
  * @author Luke Taylor
  * @author Steve Riesenberg
+ * @author Andrey Litvitski
  * @since 3.0.2
  */
 public final class IpAddressMatcher implements RequestMatcher {
 
-	private static Pattern IPV4 = Pattern.compile("\\d{0,3}.\\d{0,3}.\\d{0,3}.\\d{0,3}(/\\d{0,3})?");
+	private static Pattern IPV4 = Pattern.compile("^(\\d{1,3}\\.){3}\\d{1,3}(/\\d{1,3})?$");
 
 	private final InetAddress requiredAddress;
 
diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java b/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java
@@ -27,6 +27,7 @@
 
 /**
  * @author Luke Taylor
+ * @author Andrey Litvitski
  */
 public class IpAddressMatcherTests {
 
@@ -167,4 +168,12 @@ public void toStringWhenOnlyIpIsProvidedThenReturnsIpAddressOnly() {
 		assertThat(matcher.toString()).hasToString("IpAddress [127.0.0.1]");
 	}
 
+	// gh-17499
+	@Test
+	public void constructorRejectsInvalidIpv4WithX() {
+		String badIp = "10x1x1x1";
+		assertThatIllegalArgumentException().isThrownBy(() -> new IpAddressMatcher(badIp))
+			.withMessage("ipAddress 10x1x1x1 doesn't look like an IP Address. Is it a host name?");
+	}
+
 }
