From 09b5222f5220a30a7ba56cc12b13d32426bf927f Mon Sep 17 00:00:00 2001
From: Phillip Webb <pwebb@pivotal.io>
Date: Wed, 11 Nov 2015 20:15:28 -0800
Subject: [PATCH] Disable suffix pattern matching for Endpoints

Update EndpointHandlerMapping so that setUseSuffixPatternMatch is set
to false. This prevents URLs of the form /beans.json from returning
results and provides another line of defense against RDF attacks.

Fixes gh-4402
---
 .../boot/actuate/endpoint/mvc/EndpointHandlerMapping.java        | 1 +
 1 file changed, 1 insertion(+)

diff --git a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
index d6e603cd05c..85cf62b96e6 100644
--- a/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
+++ b/spring-boot-actuator/src/main/java/org/springframework/boot/actuate/endpoint/mvc/EndpointHandlerMapping.java
@@ -80,6 +80,7 @@ public class EndpointHandlerMapping extends RequestMappingHandlerMapping {
 			CorsConfiguration corsConfiguration) {
 		this.endpoints = new HashSet<MvcEndpoint>(endpoints);
 		this.corsConfiguration = corsConfiguration;
+		setUseSuffixPatternMatch(false);
 		// By default the static resource handler mapping is LOWEST_PRECEDENCE - 1
 		// and the RequestMappingHandlerMapping is 0 (we ideally want to be before both)
 		setOrder(-100);