AntRegexRequestMatcher Optimization

Closes gh-11234

Author: rwinch

web/src/main/java/org/springframework/security/web/util/matcher/RegexRequestMatcher.java

@@ -43,7 +43,9 @@
  */
 public final class RegexRequestMatcher implements RequestMatcher {
 
-	private static final int DEFAULT = 0;
+	private static final int DEFAULT = Pattern.DOTALL;
+
+	private static final int CASE_INSENSITIVE = DEFAULT | Pattern.CASE_INSENSITIVE;
 
 	private static final Log logger = LogFactory.getLog(RegexRequestMatcher.class);
 
@@ -68,7 +70,7 @@ public RegexRequestMatcher(String pattern, String httpMethod) {
 	 * {@link Pattern#CASE_INSENSITIVE} flag set.
 	 */
 	public RegexRequestMatcher(String pattern, String httpMethod, boolean caseInsensitive) {
-		this.pattern = Pattern.compile(pattern, caseInsensitive ? Pattern.CASE_INSENSITIVE : DEFAULT);
+		this.pattern = Pattern.compile(pattern, caseInsensitive ? CASE_INSENSITIVE : DEFAULT);
 		this.httpMethod = StringUtils.hasText(httpMethod) ? HttpMethod.valueOf(httpMethod) : null;
 	}
 

web/src/test/java/org/springframework/security/web/util/matcher/RegexRequestMatcherTests.java

@@ -101,6 +101,22 @@ public void matchesWithInvalidMethod() {
 		assertThat(matcher.matches(request)).isFalse();
 	}
 
+	@Test
+	public void matchesWithCarriageReturn() {
+		RegexRequestMatcher matcher = new RegexRequestMatcher(".*", null);
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/blah%0a");
+		request.setServletPath("/blah\n");
+		assertThat(matcher.matches(request)).isTrue();
+	}
+
+	@Test
+	public void matchesWithLineFeed() {
+		RegexRequestMatcher matcher = new RegexRequestMatcher(".*", null);
+		MockHttpServletRequest request = new MockHttpServletRequest("GET", "/blah%0d");
+		request.setServletPath("/blah\r");
+		assertThat(matcher.matches(request)).isTrue();
+	}
+
 	@Test
 	public void toStringThenFormatted() {
 		RegexRequestMatcher matcher = new RegexRequestMatcher("/blah", "GET");