RFR: 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode
Sean Coffey
coffeys at openjdk.org
Tue Nov 4 16:22:31 UTC 2025
On Mon, 20 Oct 2025 12:12:56 GMT, Oumaiyma Intissar <duke at openjdk.org> wrote:
> Constructing URLPermission with an empty/missing host in the authority (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`.
>
> **Problem**
> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` without checking, causing `StringIndexOutOfBoundsException`.
>
> **Fix**
> - `URLPermission.Authority`: after stripping userinfo, fail fast if host part is empty.
> - `HostPortrange`: add guards for null/empty input and leading ':' (port without host).
> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` permission path is gone).
>
> **Compatibility**
> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, now `IllegalArgumentException`. Valid inputs unaffected.
>
> **Testing**
> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` verifies `IllegalArgumentException` for malformed authorities and success for valid ones.
Looks fine to me
-------------
Marked as reviewed by coffeys (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/27896#pullrequestreview-3417395498
More information about the net-dev
mailing list