From 2fe7ab1f92914205d917586d8866a351197791ab Mon Sep 17 00:00:00 2001
From: "kevin.kep" <kevin.kep@kakaoenterprise.com>
Date: Wed, 10 Jul 2024 09:45:07 +0900
Subject: [PATCH 1/2] Trim last allowed origin in comma-delimited list

See gh-33181
---
 .../java/org/springframework/web/cors/CorsConfiguration.java | 2 +-
 .../org/springframework/web/cors/CorsConfigurationTests.java | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
index dbb22c42532..ad6d65feb46 100644
--- a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
+++ b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
@@ -281,7 +281,7 @@ public class CorsConfiguration {
 			}
 		}
 		if (start < rawValue.length()) {
-			valueConsumer.accept(rawValue.substring(start));
+			valueConsumer.accept(rawValue.substring(start).trim());
 		}
 	}
 
diff --git a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
index 0dfdee1ba0b..092781475f9 100644
--- a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
+++ b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
@@ -305,6 +305,11 @@ class CorsConfigurationTests {
 		assertThat(config.checkOrigin("https://a1.com")).isEqualTo("https://a1.com");
 		assertThat(config.checkOrigin("https://a2.com/")).isEqualTo("https://a2.com/");
 
+		// comma-delimited origins list with space
+		config.setAllowedOrigins(Collections.singletonList("https://a1.com, https://a2.com"));
+		assertThat(config.checkOrigin("https://a1.com")).isEqualTo("https://a1.com");
+		assertThat(config.checkOrigin("https://a2.com/")).isEqualTo("https://a2.com/");
+
 		// specific origin matches Origin header with or without trailing "/"
 		config.setAllowedOrigins(Collections.singletonList("https://domain.com"));
 		assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");

From 77bdbf7e37bdc49671165b43459c8f1cd98b8efe Mon Sep 17 00:00:00 2001
From: rstoyanchev <rossen.stoyanchev@broadcom.com>
Date: Mon, 15 Jul 2024 15:21:19 +0100
Subject: [PATCH 2/2] Polishing contribution

Closes gh-33181
---
 .../org/springframework/web/cors/CorsConfiguration.java     | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
index ad6d65feb46..4e471cfc233 100644
--- a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
+++ b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
@@ -274,14 +274,16 @@ public class CorsConfiguration {
 				case ']' -> withinPortRange = false;
 				case ',' -> {
 					if (!withinPortRange) {
-						valueConsumer.accept(rawValue.substring(start, current).trim());
+						String originValue = rawValue.substring(start, current).trim();
+						valueConsumer.accept(originValue);
 						start = current + 1;
 					}
 				}
 			}
 		}
 		if (start < rawValue.length()) {
-			valueConsumer.accept(rawValue.substring(start).trim());
+			String originValue = rawValue.substring(start).trim();
+			valueConsumer.accept(originValue);
 		}
 	}