Use Locale.ROOT for locale neutral, case insensitive comparisons

This addresses  CVE-2024-38820

Author: abhinaynagpal

spring-beans/src/main/java/org/springframework/beans/support/PropertyComparator.java

@@ -19,6 +19,7 @@
 import java.util.Arrays;
 import java.util.Comparator;
 import java.util.List;
+import java.util.Locale;
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -77,8 +78,8 @@ public int compare(T o1, T o2) {
 		Object v1 = getPropertyValue(o1);
 		Object v2 = getPropertyValue(o2);
 		if (this.sortDefinition.isIgnoreCase() && (v1 instanceof String) && (v2 instanceof String)) {
-			v1 = ((String) v1).toLowerCase();
-			v2 = ((String) v2).toLowerCase();
+			v1 = ((String) v1).toLowerCase(Locale.ROOT);
+			v2 = ((String) v2).toLowerCase(Locale.ROOT);
 		}
 
 		int result;

spring-context-support/src/main/java/org/springframework/scheduling/quartz/LocalDataSourceJobStore.java

@@ -19,6 +19,7 @@
 import java.sql.Connection;
 import java.sql.DatabaseMetaData;
 import java.sql.SQLException;
+import java.util.Locale;
 
 import javax.sql.DataSource;
 
@@ -155,7 +156,7 @@ public void initialize() {
 			String productName = JdbcUtils.extractDatabaseMetaData(this.dataSource,
 					DatabaseMetaData::getDatabaseProductName);
 			productName = JdbcUtils.commonDatabaseName(productName);
-			if (productName != null && productName.toLowerCase().contains("hsql")) {
+			if (productName != null && productName.toLowerCase(Locale.ROOT).contains("hsql")) {
 				setUseDBLocks(false);
 				setLockHandler(new SimpleSemaphore());
 			}

spring-context/src/main/java/org/springframework/format/datetime/standard/MonthFormatter.java

@@ -34,7 +34,7 @@ class MonthFormatter implements Formatter<Month> {
 
 	@Override
 	public Month parse(String text, Locale locale) throws ParseException {
-		return Month.valueOf(text.toUpperCase());
+		return Month.valueOf(text.toUpperCase(Locale.ROOT));
 	}
 
 	@Override

spring-context/src/main/java/org/springframework/scheduling/support/CronField.java

@@ -21,6 +21,7 @@
 import java.time.temporal.ChronoUnit;
 import java.time.temporal.Temporal;
 import java.time.temporal.ValueRange;
+import java.util.Locale;
 import java.util.function.BiFunction;
 
 import org.springframework.lang.Nullable;
@@ -143,7 +144,7 @@ private static CronField parseList(String value, Type type, BiFunction<String, T
 	}
 
 	private static String replaceOrdinals(String value, String[] list) {
-		value = value.toUpperCase();
+		value = value.toUpperCase(Locale.ROOT);
 		for (int i = 0; i < list.length; i++) {
 			String replacement = Integer.toString(i + 1);
 			value = StringUtils.replace(value, list[i], replacement);

spring-context/src/main/java/org/springframework/scheduling/support/CronSequenceGenerator.java

@@ -23,6 +23,7 @@
 import java.util.Date;
 import java.util.GregorianCalendar;
 import java.util.List;
+import java.util.Locale;
 import java.util.TimeZone;
 
 import org.springframework.lang.Nullable;
@@ -305,8 +306,8 @@ private void doParse(String[] fields) {
 	private String replaceOrdinals(String value, String commaSeparatedList) {
 		String[] list = StringUtils.commaDelimitedListToStringArray(commaSeparatedList);
 		for (int i = 0; i < list.length; i++) {
-			String item = list[i].toUpperCase();
-			value = StringUtils.replace(value.toUpperCase(), item, "" + i);
+			String item = list[i].toUpperCase(Locale.ROOT);
+			value = StringUtils.replace(value.toUpperCase(Locale.ROOT), item, "" + i);
 		}
 		return value;
 	}

spring-core/src/main/java/org/springframework/core/convert/support/StringToBooleanConverter.java

@@ -17,6 +17,7 @@
 package org.springframework.core.convert.support;
 
 import java.util.HashSet;
+import java.util.Locale;
 import java.util.Set;
 
 import org.springframework.core.convert.converter.Converter;
@@ -55,7 +56,7 @@ public Boolean convert(String source) {
 		if (value.isEmpty()) {
 			return null;
 		}
-		value = value.toLowerCase();
+		value = value.toLowerCase(Locale.ROOT);
 		if (trueValues.contains(value)) {
 			return Boolean.TRUE;
 		}

spring-core/src/main/java/org/springframework/core/env/SystemEnvironmentPropertySource.java

@@ -16,6 +16,7 @@
 
 package org.springframework.core.env;
 
+import java.util.Locale;
 import java.util.Map;
 
 import org.springframework.lang.Nullable;
@@ -109,7 +110,7 @@ protected final String resolvePropertyName(String name) {
 		if (resolvedName != null) {
 			return resolvedName;
 		}
-		String uppercasedName = name.toUpperCase();
+		String uppercasedName = name.toUpperCase(Locale.ROOT);
 		if (!name.equals(uppercasedName)) {
 			resolvedName = checkPropertyName(uppercasedName);
 			if (resolvedName != null) {

spring-core/src/main/java/org/springframework/util/ResourceUtils.java

@@ -23,6 +23,7 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.net.URLConnection;
+import java.util.Locale;
 
 import org.springframework.lang.Nullable;
 
@@ -295,7 +296,7 @@ public static boolean isJarURL(URL url) {
 	 */
 	public static boolean isJarFileURL(URL url) {
 		return (URL_PROTOCOL_FILE.equals(url.getProtocol()) &&
-				url.getPath().toLowerCase().endsWith(JAR_FILE_EXTENSION));
+				url.getPath().toLowerCase(Locale.ROOT).endsWith(JAR_FILE_EXTENSION));
 	}
 
 	/**

spring-expression/src/main/java/org/springframework/expression/spel/SpelParserConfiguration.java

@@ -16,9 +16,13 @@
 
 package org.springframework.expression.spel;
 
+import java.util.Locale;
+
 import org.springframework.core.SpringProperties;
 import org.springframework.lang.Nullable;
 
+
+
 /**
  * Configuration object for the SpEL expression parser.
  *
@@ -45,7 +49,7 @@ public class SpelParserConfiguration {
 	static {
 		String compilerMode = SpringProperties.getProperty(SPRING_EXPRESSION_COMPILER_MODE_PROPERTY_NAME);
 		defaultCompilerMode = (compilerMode != null ?
-				SpelCompilerMode.valueOf(compilerMode.toUpperCase()) : SpelCompilerMode.OFF);
+				SpelCompilerMode.valueOf(compilerMode.toUpperCase(Locale.ROOT)) : SpelCompilerMode.OFF);
 	}
 
 

spring-expression/src/main/java/org/springframework/expression/spel/ast/TypeReference.java

@@ -17,6 +17,7 @@
 package org.springframework.expression.spel.ast;
 
 import java.lang.reflect.Array;
+import java.util.Locale;
 
 import org.springframework.asm.MethodVisitor;
 import org.springframework.asm.Type;
@@ -57,7 +58,7 @@ public TypedValue getValueInternal(ExpressionState state) throws EvaluationExcep
 		String typeName = (String) this.children[0].getValueInternal(state).getValue();
 		Assert.state(typeName != null, "No type name");
 		if (!typeName.contains(".") && Character.isLowerCase(typeName.charAt(0))) {
-			TypeCode tc = TypeCode.valueOf(typeName.toUpperCase());
+			TypeCode tc = TypeCode.valueOf(typeName.toUpperCase(Locale.ROOT));
 			if (tc != TypeCode.OBJECT) {
 				// It is a primitive type
 				Class<?> clazz = makeArrayIfNecessary(tc.getType());