Trim last allowed origin in comma-delimited list

kevin.kep · rstoyanchev · commit 2fe7ab1f9291 · 2024-07-15T15:17:03.000+01:00
See gh-33181
diff --git a/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java b/spring-web/src/main/java/org/springframework/web/cors/CorsConfiguration.java
@@ -281,7 +281,7 @@ private static void parseCommaDelimitedOrigin(String rawValue, Consumer<String>
 			}
 		}
 		if (start < rawValue.length()) {
-			valueConsumer.accept(rawValue.substring(start));
+			valueConsumer.accept(rawValue.substring(start).trim());
 		}
 	}
 
diff --git a/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java b/spring-web/src/test/java/org/springframework/web/cors/CorsConfigurationTests.java
@@ -305,6 +305,11 @@ void checkOriginAllowed() {
 		assertThat(config.checkOrigin("https://a1.com")).isEqualTo("https://a1.com");
 		assertThat(config.checkOrigin("https://a2.com/")).isEqualTo("https://a2.com/");
 
+		// comma-delimited origins list with space
+		config.setAllowedOrigins(Collections.singletonList("https://a1.com, https://a2.com"));
+		assertThat(config.checkOrigin("https://a1.com")).isEqualTo("https://a1.com");
+		assertThat(config.checkOrigin("https://a2.com/")).isEqualTo("https://a2.com/");
+
 		// specific origin matches Origin header with or without trailing "/"
 		config.setAllowedOrigins(Collections.singletonList("https://domain.com"));
 		assertThat(config.checkOrigin("https://domain.com")).isEqualTo("https://domain.com");

Original file line number	Diff line number	Diff line change
`@@ -281,7 +281,7 @@ private static void parseCommaDelimitedOrigin(String rawValue, Consumer<String>`
`281`	`281`	`}`
`282`	`282`	`}`
`283`	`283`	`if (start < rawValue.length()) {`
`284`		`- valueConsumer.accept(rawValue.substring(start));`
	`284`	`+ valueConsumer.accept(rawValue.substring(start).trim());`
`285`	`285`	`}`
`286`	`286`	`}`
`287`	`287`