RFR: 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode
Daniel Fuchs
dfuchs at openjdk.org
Tue Nov 4 17:08:47 UTC 2025
On Mon, 20 Oct 2025 12:12:56 GMT, Oumaiyma Intissar <duke at openjdk.org> wrote:
> Constructing URLPermission with an empty/missing host in the authority (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`.
>
> **Problem**
> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` without checking, causing `StringIndexOutOfBoundsException`.
>
> **Fix**
> - `URLPermission.Authority`: after stripping userinfo, fail fast if host part is empty.
> - `HostPortrange`: add guards for null/empty input and leading ':' (port without host).
> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` permission path is gone).
>
> **Compatibility**
> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, now `IllegalArgumentException`. Valid inputs unaffected.
>
> **Testing**
> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` verifies `IllegalArgumentException` for malformed authorities and success for valid ones.
I agree with Alan that we should update the JBS issue title to match what is being fixed.
`URL.openConnection` does not throw in JDK 24 and later. `URLPermission` still does.
Otherwise the proposed fix looks reasonable.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/27896#issuecomment-3487087557
More information about the net-dev
mailing list