RFR: 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode
Alan Bateman
alanb at openjdk.org
Tue Nov 4 15:00:05 UTC 2025
On Mon, 20 Oct 2025 12:12:56 GMT, Oumaiyma Intissar <duke at openjdk.org> wrote:
> Constructing URLPermission with an empty/missing host in the authority (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`.
>
> **Problem**
> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` without checking, causing `StringIndexOutOfBoundsException`.
>
> **Fix**
> - `URLPermission.Authority`: after stripping userinfo, fail fast if host part is empty.
> - `HostPortrange`: add guards for null/empty input and leading ':' (port without host).
> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` permission path is gone).
>
> **Compatibility**
> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, now `IllegalArgumentException`. Valid inputs unaffected.
>
> **Testing**
> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` verifies `IllegalArgumentException` for malformed authorities and success for valid ones.
The title on the JBS issue and PR is a bit confusing. Opening a URL connection shouldn't use URLPermission anymore so I think the issue (in main line) is really with code that uses the deprecated URLPermission class directly. Would it be possible to confirm this, and if confirmed, can the JBS issue be renamed?
-------------
PR Comment: https://git.openjdk.org/jdk/pull/27896#issuecomment-3486404798
More information about the net-dev
mailing list