RFR: 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode
Daniel Fuchs
dfuchs at openjdk.org
Tue Nov 4 16:11:29 UTC 2025
On Mon, 20 Oct 2025 12:12:56 GMT, Oumaiyma Intissar <duke at openjdk.org> wrote:
> Constructing URLPermission with an empty/missing host in the authority (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`.
>
> **Problem**
> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` without checking, causing `StringIndexOutOfBoundsException`.
>
> **Fix**
> - `URLPermission.Authority`: after stripping userinfo, fail fast if host part is empty.
> - `HostPortrange`: add guards for null/empty input and leading ':' (port without host).
> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` permission path is gone).
>
> **Compatibility**
> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, now `IllegalArgumentException`. Valid inputs unaffected.
>
> **Testing**
> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` verifies `IllegalArgumentException` for malformed authorities and success for valid ones.
test/jdk/java/net/URLPermission/EmptyAuthorityTest.java line 69:
> 67: new URLPermission(url); // should not throw
> 68: }
> 69: }
Please add a new line at the end of the file.
-------------
PR Review Comment: https://git.openjdk.org/jdk/pull/27896#discussion_r2491130629
More information about the net-dev
mailing list