From 2f4bb003bbe7f6b7920a7ae6d63984cc14d44094 Mon Sep 17 00:00:00 2001
From: maoling <maoling@apache.org>
Date: Mon, 7 Aug 2023 23:00:00 +0800
Subject: [PATCH] add java doc warning comment into ipAddressMatcher for
 potential dns resolution

---
 .../security/web/util/matcher/IpAddressMatcher.java         | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
index 3be7851094d..00ada3594e0 100644
--- a/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
+++ b/web/src/main/java/org/springframework/security/web/util/matcher/IpAddressMatcher.java
@@ -44,7 +44,7 @@ public final class IpAddressMatcher implements RequestMatcher {
 	 * Takes a specific IP address or a range specified using the IP/Netmask (e.g.
 	 * 192.168.1.0/24 or 202.24.0.0/14).
 	 * @param ipAddress the address or range of addresses from which the request must
-	 * come.
+	 * come. Note: ipAddress should not be a hostname to avoid the DNS resolution for potential security issue
 	 */
 	public IpAddressMatcher(String ipAddress) {
 		if (ipAddress.indexOf('/') > 0) {
@@ -65,6 +65,10 @@ public boolean matches(HttpServletRequest request) {
 		return matches(request.getRemoteAddr());
 	}
 
+	/**
+	 * match whether address is in the range of ipAddress
+	 * @param address which is for Ip range check. Note: address should not be a hostname to avoid the DNS resolution for potential security issue
+	 */
 	public boolean matches(String address) {
 		InetAddress remoteAddress = parseAddress(address);
 		if (!this.requiredAddress.getClass().equals(remoteAddress.getClass())) {