From 3744532dec01581f2f790d4bedc0c81ee840cde7 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:16 +0000 Subject: [PATCH 01/11] Upgrade to Dropwizard Metrics 4.2.18 Closes gh-34648 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index 3be1870dfa..8a4ab345fc 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -283,7 +283,7 @@ bom { ] } } - library("Dropwizard Metrics", "4.2.16") { + library("Dropwizard Metrics", "4.2.18") { group("io.dropwizard.metrics") { imports = [ "metrics-bom" From 419428842e84ca1d22ab58089bd6e72b8dafbf5a Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:21 +0000 Subject: [PATCH 02/11] Upgrade to Groovy 3.0.16 Closes gh-34649 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index 8a4ab345fc..43d0521602 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -422,7 +422,7 @@ bom { ] } } - library("Groovy", "3.0.15") { + library("Groovy", "3.0.16") { group("org.codehaus.groovy") { imports = [ "groovy-bom" From 7fa5dab8acdf44fc1fba2d42f1d7292f1394a63e Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:26 +0000 Subject: [PATCH 03/11] Upgrade to Jetty Reactive HTTPClient 1.1.14 Closes gh-34650 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index 43d0521602..465ec88760 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -969,7 +969,7 @@ bom { ] } } - library("Jetty Reactive HTTPClient", "1.1.13") { + library("Jetty Reactive HTTPClient", "1.1.14") { prohibit { versionRange "[2,)" because "it uses the jakarta.* namespace" From bfba7fdee304617d2ef076d9d5a11c842b6eb636 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:31 +0000 Subject: [PATCH 04/11] Upgrade to Jetty 9.4.51.v20230217 Closes gh-34651 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index 465ec88760..b1bcbd9494 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -980,7 +980,7 @@ bom { ] } } - library("Jetty", "9.4.50.v20221201") { + library("Jetty", "9.4.51.v20230217") { prohibit { versionRange "[10.0.0-alpha0,)" because "it requires Java 11" From 20558bf07242baf838e4a0ed48c2c9c7b90f152b Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:36 +0000 Subject: [PATCH 05/11] Upgrade to Json-smart 2.4.10 Closes gh-34652 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index b1bcbd9494..c89a26e2f7 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -1050,7 +1050,7 @@ bom { ] } } - library("Json-smart", "2.4.8") { + library("Json-smart", "2.4.10") { group("net.minidev") { modules = [ "json-smart" From 71c7194af7c973794d13dcd21fb8d420ff8ec69b Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:41 +0000 Subject: [PATCH 06/11] Upgrade to Netty 4.1.90.Final Closes gh-34653 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index c89a26e2f7..9bd79098c2 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -1394,7 +1394,7 @@ bom { ] } } - library("Netty", "4.1.89.Final") { + library("Netty", "4.1.90.Final") { group("io.netty") { imports = [ "netty-bom" From 97dab185dd03c3f9c4aba8d340a55c8fca6fa010 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:41 +0000 Subject: [PATCH 07/11] Upgrade to Spring Data Bom 2021.2.10 Closes gh-34530 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index 9bd79098c2..dcaf8d3e7b 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -1739,7 +1739,7 @@ bom { ] } } - library("Spring Data Bom", "2021.2.10-SNAPSHOT") { + library("Spring Data Bom", "2021.2.10") { prohibit { versionRange "[2022.0.0-M1,)" because "it uses Spring Framework 6" From 078c5f5c2c1fce4ee43c3de393d285013977601b Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:42 +0000 Subject: [PATCH 08/11] Upgrade to Spring Framework 5.3.26 Closes gh-34531 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index dcaf8d3e7b..a6165d71e1 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -1750,7 +1750,7 @@ bom { ] } } - library("Spring Framework", "5.3.26-SNAPSHOT") { + library("Spring Framework", "5.3.26") { prohibit { versionRange "[6.0.0-M1,)" because "we upgrade in Spring Boot 3.x" From 676cac99b7ee071922309fa6adf6e1bec8879f42 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:47 +0000 Subject: [PATCH 09/11] Upgrade to Spring HATEOAS 1.5.4 Closes gh-34654 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index a6165d71e1..67deb080d9 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -1769,7 +1769,7 @@ bom { ] } } - library("Spring HATEOAS", "1.5.3") { + library("Spring HATEOAS", "1.5.4") { prohibit { versionRange "[2.0.0-M1,)" because "it uses Spring Framework 6" From 4be288f672430885816522a5940edceafafcb4c3 Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:52 +0000 Subject: [PATCH 10/11] Upgrade to Tomcat 9.0.73 Closes gh-34655 --- gradle.properties | 2 +- .../boot/autoconfigure/web/ServerProperties.java | 9 +++++++-- .../TomcatWebServerFactoryCustomizerTests.java | 7 ++++++- .../boot/web/embedded/tomcat/TldPatterns.java | 13 ++++++++++--- 4 files changed, 24 insertions(+), 7 deletions(-) diff --git a/gradle.properties b/gradle.properties index f29a0a0e35..60fea604d5 100644 --- a/gradle.properties +++ b/gradle.properties @@ -5,6 +5,6 @@ org.gradle.parallel=true org.gradle.jvmargs=-Xmx2g -Dfile.encoding=UTF-8 kotlinVersion=1.6.21 -tomcatVersion=9.0.71 +tomcatVersion=9.0.73 kotlin.stdlib.default.dependency=false diff --git a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java index 096c334174..3a0bca45ae 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/main/java/org/springframework/boot/autoconfigure/web/ServerProperties.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -959,8 +959,13 @@ public class ServerProperties { + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8 + + "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 - + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // + + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + + "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + "0:0:0:0:0:0:0:1|::1"; /** diff --git a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java index ed3f9ad4c1..926a654ee3 100644 --- a/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java +++ b/spring-boot-project/spring-boot-autoconfigure/src/test/java/org/springframework/boot/autoconfigure/web/embedded/TomcatWebServerFactoryCustomizerTests.java @@ -340,8 +340,13 @@ class TomcatWebServerFactoryCustomizerTests { + "192\\.168\\.\\d{1,3}\\.\\d{1,3}|" // 192.168/16 + "169\\.254\\.\\d{1,3}\\.\\d{1,3}|" // 169.254/16 + "127\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}|" // 127/8 + + "100\\.6[4-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.[7-9]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.1[0-1]{1}\\d{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + + "100\\.12[0-7]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 100.64.0.0/10 + "172\\.1[6-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 - + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // + + "172\\.2[0-9]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + + "172\\.3[0-1]{1}\\.\\d{1,3}\\.\\d{1,3}|" // 172.16/12 + "0:0:0:0:0:0:0:1|::1"; assertThat(remoteIpValve.getInternalProxies()).isEqualTo(expectedInternalProxies); } diff --git a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TldPatterns.java b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TldPatterns.java index fd1b8f4f60..8b61d67dfc 100644 --- a/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TldPatterns.java +++ b/spring-boot-project/spring-boot/src/main/java/org/springframework/boot/web/embedded/tomcat/TldPatterns.java @@ -1,5 +1,5 @@ /* - * Copyright 2012-2022 the original author or authors. + * Copyright 2012-2023 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -35,10 +35,12 @@ final class TldPatterns { Set skipPatterns = new LinkedHashSet<>(); skipPatterns.add("annotations-api.jar"); skipPatterns.add("ant-junit*.jar"); - skipPatterns.add("ant-launcher.jar"); - skipPatterns.add("ant.jar"); + skipPatterns.add("ant-launcher*.jar"); + skipPatterns.add("ant*.jar"); skipPatterns.add("asm-*.jar"); skipPatterns.add("aspectj*.jar"); + skipPatterns.add("bcel*.jar"); + skipPatterns.add("biz.aQute.bnd*.jar"); skipPatterns.add("bootstrap.jar"); skipPatterns.add("catalina-ant.jar"); skipPatterns.add("catalina-ha.jar"); @@ -51,6 +53,7 @@ final class TldPatterns { skipPatterns.add("commons-beanutils*.jar"); skipPatterns.add("commons-codec*.jar"); skipPatterns.add("commons-collections*.jar"); + skipPatterns.add("commons-compress*.jar"); skipPatterns.add("commons-daemon.jar"); skipPatterns.add("commons-dbcp*.jar"); skipPatterns.add("commons-digester*.jar"); @@ -92,6 +95,8 @@ final class TldPatterns { skipPatterns.add("mail*.jar"); skipPatterns.add("objenesis-*.jar"); skipPatterns.add("oraclepki.jar"); + skipPatterns.add("org.hamcrest.core_*.jar"); + skipPatterns.add("org.junit_*.jar"); skipPatterns.add("oro-*.jar"); skipPatterns.add("servlet-api-*.jar"); skipPatterns.add("servlet-api.jar"); @@ -110,6 +115,7 @@ final class TldPatterns { skipPatterns.add("tomcat-util.jar"); skipPatterns.add("tomcat-websocket.jar"); skipPatterns.add("tools.jar"); + skipPatterns.add("unboundid-ldapsdk-*.jar"); skipPatterns.add("websocket-api.jar"); skipPatterns.add("wsdl4j*.jar"); skipPatterns.add("xercesImpl.jar"); @@ -117,6 +123,7 @@ final class TldPatterns { skipPatterns.add("xmlParserAPIs-*.jar"); skipPatterns.add("xmlParserAPIs.jar"); skipPatterns.add("xom-*.jar"); + TOMCAT_SKIP = Collections.unmodifiableSet(skipPatterns); } From fe39ee671d174d1c5ab5919ac30e3ad48846111a Mon Sep 17 00:00:00 2001 From: Andy Wilkinson Date: Mon, 20 Mar 2023 19:39:57 +0000 Subject: [PATCH 11/11] Upgrade to UnboundID LDAPSDK 6.0.8 Closes gh-34656 --- spring-boot-project/spring-boot-dependencies/build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/spring-boot-project/spring-boot-dependencies/build.gradle b/spring-boot-project/spring-boot-dependencies/build.gradle index 67deb080d9..8fdccff100 100644 --- a/spring-boot-project/spring-boot-dependencies/build.gradle +++ b/spring-boot-project/spring-boot-dependencies/build.gradle @@ -1948,7 +1948,7 @@ bom { ] } } - library("UnboundID LDAPSDK", "6.0.7") { + library("UnboundID LDAPSDK", "6.0.8") { group("com.unboundid") { modules = [ "unboundid-ldapsdk"