From 93d571b0169840353e28ea8f543d43f29606f00a Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Wed, 17 May 2023 18:43:51 +0100 Subject: [PATCH] Upgrade to Tomcat 9.0.75 Closes gh-35503 --- gradle.properties | 2 +- .../boot/autoconfigure/web/ServerProperties.java | 9 +++++++-- .../TomcatWebServerFactoryCustomizerTests.java | 7 ++++++- .../boot/web/embedded/tomcat/TldPatterns.java | 13 ++++++++++--- 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/gradle.properties b/gradle.properties index de8119e44547..6bb265d9b8b7 100644 --- a/gradle.properties +++ b/gradle.properties @@ -5,6 +5,6 @@ org.gradle.parallel=true org.gradle.jvmargs=-Xmx2g -Dfile.encoding=UTF-8 kotlinVersion=1.5.32 -tomcatVersion=9.0.63 +tomcatVersion=9.0.75 kotlin.stdlib.default.dependency=false diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index 1b5456129d6d..f39618dbc1da 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2021 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -900,8 +900,13 @@ public static class Remoteip { + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8 + + "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 - + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // + + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + + "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + "0:0:0:0:0:0:0:1|::1"; /** diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java index 5e3015b81114..b99c79b21bc0 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java @@ -318,8 +318,13 @@ private void testRemoteIpValveConfigured() { + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8 + + "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 - + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // + + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + + "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + "0:0:0:0:0:0:0:1|::1"; assertThat(remoteIpValve.getInternalProxies()).isEqualTo(expectedInternalProxies); } diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TldPatterns.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TldPatterns.java index fd1b8f4f60cf..8b61d67dfcc7 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TldPatterns.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TldPatterns.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,10 +35,12 @@ final class TldPatterns { Set skipPatterns = new LinkedHashSet<>(); skipPatterns.add("annotations-api.jar"); skipPatterns.add("ant-junit*.jar"); - skipPatterns.add("ant-launcher.jar"); - skipPatterns.add("ant.jar"); + skipPatterns.add("ant-launcher*.jar"); + skipPatterns.add("ant*.jar"); skipPatterns.add("asm-*.jar"); skipPatterns.add("aspectj*.jar"); + skipPatterns.add("bcel*.jar"); + skipPatterns.add("biz.aQute.bnd*.jar"); skipPatterns.add("bootstrap.jar"); skipPatterns.add("catalina-ant.jar"); skipPatterns.add("catalina-ha.jar"); @@ -51,6 +53,7 @@ final class TldPatterns { skipPatterns.add("commons-beanutils*.jar"); skipPatterns.add("commons-codec*.jar"); skipPatterns.add("commons-collections*.jar"); + skipPatterns.add("commons-compress*.jar"); skipPatterns.add("commons-daemon.jar"); skipPatterns.add("commons-dbcp*.jar"); skipPatterns.add("commons-digester*.jar"); @@ -92,6 +95,8 @@ final class TldPatterns { skipPatterns.add("mail*.jar"); skipPatterns.add("objenesis-*.jar"); skipPatterns.add("oraclepki.jar"); + skipPatterns.add("org.hamcrest.core_*.jar"); + skipPatterns.add("org.junit_*.jar"); skipPatterns.add("oro-*.jar"); skipPatterns.add("servlet-api-*.jar"); skipPatterns.add("servlet-api.jar"); @@ -110,6 +115,7 @@ final class TldPatterns { skipPatterns.add("tomcat-util.jar"); skipPatterns.add("tomcat-websocket.jar"); skipPatterns.add("tools.jar"); + skipPatterns.add("unboundid-ldapsdk-*.jar"); skipPatterns.add("websocket-api.jar"); skipPatterns.add("wsdl4j*.jar"); skipPatterns.add("xercesImpl.jar"); @@ -117,6 +123,7 @@ final class TldPatterns { skipPatterns.add("xmlParserAPIs-*.jar"); skipPatterns.add("xmlParserAPIs.jar"); skipPatterns.add("xom-*.jar"); + TOMCAT_SKIP = Collections.unmodifiableSet(skipPatterns); }