Make Stricter IP Format Check

Closes gh-17499

Signed-off-by: Andrey Litvitski <andrey1010102008@gmail.com>

web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java

@@ -35,11 +35,12 @@ import org.springframework.util.StringUtils;
  *
  * @author Luke Taylor
  * @author Steve Riesenberg
+ * @author Andrey Litvitski
  * @since 3.0.2
  */
 public final class IpAddressMatcher implements RequestMatcher {
 
-	private static Pattern IPV4 = Pattern.compile("\\d{0,3}.\\d{0,3}.\\d{0,3}.\\d{0,3}(/\\d{0,3})?");
+	private static Pattern IPV4 = Pattern.compile("^\\d{1,3}(?:\\.\\d{1,3}){0,3}(?:/\\d{1,2})?$");
 
 	private final InetAddress requiredAddress;
 

web/src/test/java/org/springframework/security/web/util/matcher/IpAddressMatcherTests.java

@@ -27,6 +27,7 @@ import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException
 
 /**
  * @author Luke Taylor
+ * @author Andrey Litvitski
  */
 public class IpAddressMatcherTests {
 
@@ -167,4 +168,12 @@ public class IpAddressMatcherTests {
 		assertThat(matcher.toString()).hasToString("IpAddress [127.0.0.1]");
 	}
 
+	// gh-17499
+	@Test
+	public void constructorRejectsInvalidIpv4WithX() {
+		String badIp = "10x1x1x1";
+		assertThatIllegalArgumentException().isThrownBy(() -> new IpAddressMatcher(badIp))
+			.withMessage("ipAddress 10x1x1x1 doesn't look like an IP Address. Is it a host name?");
+	}
+
 }