From 99be4f5a3bf6ffd41646f60248860f8d508dc26a Mon Sep 17 00:00:00 2001
From: Cesar Hernandez <cfhernan123@gmail.com>
Date: Tue, 29 Oct 2024 19:29:27 -0600
Subject: [PATCH] backported commit #23656ae Use Locale.ROOT consistently for
 toLower/toUpperCase to mitigate CVE-2024-38820

---
 gradle.properties                                           | 2 +-
 .../java/org/springframework/validation/DataBinder.java     | 6 ++++--
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/gradle.properties b/gradle.properties
index a74c35b409da..d6ab6f1600ee 100644
--- a/gradle.properties
+++ b/gradle.properties
@@ -1,4 +1,4 @@
-version=5.3.39.RELEASE-TT.1
+version=5.3.39.RELEASE-TT.2
 org.gradle.jvmargs=-Xmx2048m
 org.gradle.caching=true
 org.gradle.parallel=true
diff --git a/spring-context/src/main/java/org/springframework/validation/DataBinder.java b/spring-context/src/main/java/org/springframework/validation/DataBinder.java
index 8cd4b6ef9c7c..5717943030e4 100644
--- a/spring-context/src/main/java/org/springframework/validation/DataBinder.java
+++ b/spring-context/src/main/java/org/springframework/validation/DataBinder.java
@@ -23,6 +23,7 @@
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 
 import org.apache.commons.logging.Log;
@@ -482,7 +483,8 @@ public void setDisallowedFields(@Nullable String... disallowedFields) {
 		else {
 			String[] fieldPatterns = new String[disallowedFields.length];
 			for (int i = 0; i < fieldPatterns.length; i++) {
-				fieldPatterns[i] = PropertyAccessorUtils.canonicalPropertyName(disallowedFields[i]).toLowerCase();
+				String field = PropertyAccessorUtils.canonicalPropertyName(disallowedFields[i]);
+				fieldPatterns[i] = field.toLowerCase(Locale.ROOT);
 			}
 			this.disallowedFields = fieldPatterns;
 		}
@@ -825,7 +827,7 @@ protected boolean isAllowed(String field) {
 		String[] allowed = getAllowedFields();
 		String[] disallowed = getDisallowedFields();
 		return ((ObjectUtils.isEmpty(allowed) || PatternMatchUtils.simpleMatch(allowed, field)) &&
-				(ObjectUtils.isEmpty(disallowed) || !PatternMatchUtils.simpleMatch(disallowed, field.toLowerCase())));
+				(ObjectUtils.isEmpty(disallowed) || !PatternMatchUtils.simpleMatch(disallowed, field.toLowerCase(Locale.ROOT))));
 	}
 
 	/**