RFR: 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode
Oumaiyma Intissar
duke at openjdk.org
Tue Nov 4 14:53:24 UTC 2025
Constructing URLPermission with an empty/missing host in the authority (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`.
**Problem**
Empty or malformed authorities reach HostPortrange, which does `charAt(0)` without checking, causing `StringIndexOutOfBoundsException`.
**Fix**
- `URLPermission.Authority`: after stripping userinfo, fail fast if host part is empty.
- `HostPortrange`: add guards for null/empty input and leading ':' (port without host).
- No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` permission path is gone).
**Compatibility**
Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, now `IllegalArgumentException`. Valid inputs unaffected.
**Testing**
New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` verifies `IllegalArgumentException` for malformed authorities and success for valid ones.
-------------
Commit messages:
- 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode
Changes: https://git.openjdk.org/jdk/pull/27896/files
Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=27896&range=00
Issue: https://bugs.openjdk.org/browse/JDK-8367049
Stats: 81 lines in 3 files changed: 81 ins; 0 del; 0 mod
Patch: https://git.openjdk.org/jdk/pull/27896.diff
Fetch: git fetch https://git.openjdk.org/jdk.git pull/27896/head:pull/27896
PR: https://git.openjdk.org/jdk/pull/27896
More information about the net-dev
mailing list