From d0d7a88233de2cd05b47fc2cf93bc8331af55cff Mon Sep 17 00:00:00 2001
From: Bryan Kelly <xyloman@gmail.com>
Date: Fri, 7 Apr 2017 14:59:32 -0500
Subject: [PATCH] Fix ForwardedHeaderFilter getRequestURL()

Previously ForwardedHeaderFilter would return the same StringBuffer for every invocation. This
meant that users that modified the StringBuffer changed the state of the HttpServletRequest.

This commit ensures that a new StringBuffer is always returned for ForwardedHeaderFilter.

Issue: SPR-15423
---
 .../web/filter/ForwardedHeaderFilter.java              |  8 ++++----
 .../web/filter/ForwardedHeaderFilterTests.java         | 10 ++++++++++
 2 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java b/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
index 5187c0e0cdd..0917538c06b 100644
--- a/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
+++ b/spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java
@@ -118,7 +118,7 @@ public class ForwardedHeaderFilter extends OncePerRequestFilter {
 
 		private final String requestUri;
 
-		private final StringBuffer requestUrl;
+		private final String requestUrl;
 
 		private final Map<String, List<String>> headers;
 
@@ -137,8 +137,8 @@ public class ForwardedHeaderFilter extends OncePerRequestFilter {
 			String prefix = getForwardedPrefix(request);
 			this.contextPath = (prefix != null ? prefix : request.getContextPath());
 			this.requestUri = this.contextPath + pathHelper.getPathWithinApplication(request);
-			this.requestUrl = new StringBuffer(this.scheme + "://" + this.host +
-					(port == -1 ? "" : ":" + port) + this.requestUri);
+			this.requestUrl = this.scheme + "://" + this.host +
+					(port == -1 ? "" : ":" + port) + this.requestUri;
 			this.headers = initHeaders(request);
 		}
 
@@ -206,7 +206,7 @@ public class ForwardedHeaderFilter extends OncePerRequestFilter {
 
 		@Override
 		public StringBuffer getRequestURL() {
-			return this.requestUrl;
+			return new StringBuffer(this.requestUrl);
 		}
 
 		// Override header accessors to not expose forwarded headers
diff --git a/spring-web/src/test/java/org/springframework/web/filter/ForwardedHeaderFilterTests.java b/spring-web/src/test/java/org/springframework/web/filter/ForwardedHeaderFilterTests.java
index a48672cf1e1..4b58ef5d1e8 100644
--- a/spring-web/src/test/java/org/springframework/web/filter/ForwardedHeaderFilterTests.java
+++ b/spring-web/src/test/java/org/springframework/web/filter/ForwardedHeaderFilterTests.java
@@ -208,6 +208,16 @@ public class ForwardedHeaderFilterTests {
 		HttpServletRequest actual = filterAndGetWrappedRequest();
 		assertEquals("http://localhost/prefix/mvc-showcase", actual.getRequestURL().toString());
 	}
+	
+	@Test
+	public void requestURLNewStringBuffer() throws Exception { 
+		this.request.addHeader(X_FORWARDED_PREFIX, "/prefix/");
+		this.request.setRequestURI("/mvc-showcase");
+
+		HttpServletRequest actual = filterAndGetWrappedRequest();
+		actual.getRequestURL().append("?key=value");
+		assertEquals("http://localhost/prefix/mvc-showcase", actual.getRequestURL().toString());
+	}
 
 	@Test
 	public void contextPathWithForwardedPrefix() throws Exception {