Fix ForwardedHeaderFilter getRequestURL()

Previously ForwardedHeaderFilter would return the same StringBuffer for every invocation. This
meant that users that modified the StringBuffer changed the state of the HttpServletRequest.

This commit ensures that a new StringBuffer is always returned for ForwardedHeaderFilter.

Issue: SPR-15423

Author: xyloman

spring-web/src/main/java/org/springframework/web/filter/ForwardedHeaderFilter.java

@@ -118,7 +118,7 @@ private static class ForwardedHeaderRequestWrapper extends HttpServletRequestWra
 
 		private final String requestUri;
 
-		private final StringBuffer requestUrl;
+		private final String requestUrl;
 
 		private final Map<String, List<String>> headers;
 
@@ -137,8 +137,8 @@ public ForwardedHeaderRequestWrapper(HttpServletRequest request, UrlPathHelper p
 			String prefix = getForwardedPrefix(request);
 			this.contextPath = (prefix != null ? prefix : request.getContextPath());
 			this.requestUri = this.contextPath + pathHelper.getPathWithinApplication(request);
-			this.requestUrl = new StringBuffer(this.scheme + "://" + this.host +
-					(port == -1 ? "" : ":" + port) + this.requestUri);
+			this.requestUrl = this.scheme + "://" + this.host +
+					(port == -1 ? "" : ":" + port) + this.requestUri;
 			this.headers = initHeaders(request);
 		}
 
@@ -206,7 +206,7 @@ public String getRequestURI() {
 
 		@Override
 		public StringBuffer getRequestURL() {
-			return this.requestUrl;
+			return new StringBuffer(this.requestUrl);
 		}
 
 		// Override header accessors to not expose forwarded headers

spring-web/src/test/java/org/springframework/web/filter/ForwardedHeaderFilterTests.java

@@ -208,6 +208,16 @@ public void requestUriWithForwardedPrefixTrailingSlash() throws Exception {
 		HttpServletRequest actual = filterAndGetWrappedRequest();
 		assertEquals("http://localhost/prefix/mvc-showcase", actual.getRequestURL().toString());
 	}
+	
+	@Test
+	public void requestURLNewStringBuffer() throws Exception { 
+		this.request.addHeader(X_FORWARDED_PREFIX, "/prefix/");
+		this.request.setRequestURI("/mvc-showcase");
+
+		HttpServletRequest actual = filterAndGetWrappedRequest();
+		actual.getRequestURL().append("?key=value");
+		assertEquals("http://localhost/prefix/mvc-showcase", actual.getRequestURL().toString());
+	}
 
 	@Test
 	public void contextPathWithForwardedPrefix() throws Exception {