RFR: 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode [v2]
Alan Bateman
alanb at openjdk.org
Tue Nov 4 17:53:39 UTC 2025
On Tue, 4 Nov 2025 17:37:24 GMT, Oumaiyma Intissar <duke at openjdk.org> wrote:
>> Constructing URLPermission with an empty/missing host in the authority (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`.
>>
>> **Problem**
>> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` without checking, causing `StringIndexOutOfBoundsException`.
>>
>> **Fix**
>> - `URLPermission.Authority`: after stripping userinfo, fail fast if host part is empty.
>> - `HostPortrange`: add guards for null/empty input and leading ':' (port without host).
>> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` permission path is gone).
>>
>> **Compatibility**
>> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, now `IllegalArgumentException`. Valid inputs unaffected.
>>
>> **Testing**
>> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` verifies `IllegalArgumentException` for malformed authorities and success for valid ones.
>
> Oumaiyma Intissar has updated the pull request incrementally with one additional commit since the last revision:
>
> Fix missing newline at end of EmptyAuthorityTest.java
>
> Add missing newline at the end of the file.
I've renamed the JBS issue as it is too confusing to target main line with commit suggestion URLConnection then it's an issue with the deprecated URLPermission.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/27896#issuecomment-3487341152
More information about the net-dev
mailing list