diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java index e7a4fdab03..d4ce76d50a 100644 --- a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java +++ b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java @@ -71,6 +71,11 @@ public final class IpAddressMatcher implements RequestMatcher { } public boolean matches(String address) { + // Do not match null or blank address + if (!StringUtils.hasText(address)) { + return false; + } + assertNotHostName(address); InetAddress remoteAddress = parseAddress(address); if (!this.requiredAddress.getClass().equals(remoteAddress.getClass())) { diff --git a/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java b/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java index eebd8fa945..9329eed69a 100644 --- a/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java +++ b/web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2019 the original author or authors. + * Copyright 2002-2024 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -126,4 +126,17 @@ public class IpAddressMatcherTests { .withMessage("ipAddress 123.156.7.18.org doesn't look like an IP Address. Is it a host name?"); } + // gh-15527 + @Test + public void matchesWhenIpAddressIsLoopbackAndAddressIsNullThenFalse() { + IpAddressMatcher ipAddressMatcher = new IpAddressMatcher("127.0.0.1"); + assertThat(ipAddressMatcher.matches((String) null)).isFalse(); + } + + // gh-15527 + @Test + public void matchesWhenAddressIsNullThenFalse() { + assertThat(this.v4matcher.matches((String) null)).isFalse(); + } + }