RFR: 8367049: URLPermission.<init> throws StringIndexOutOfBoundsException in avm mode [v4]
Michael McMahon
michaelm at openjdk.org
Tue Nov 18 16:08:01 UTC 2025
On Tue, 18 Nov 2025 14:21:42 GMT, Oumaiyma Intissar <duke at openjdk.org> wrote:
>> Constructing URLPermission with an empty/missing host in the authority (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`.
>>
>> **Problem**
>> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` without checking, causing `StringIndexOutOfBoundsException`.
>>
>> **Fix**
>> - `URLPermission.Authority`: after stripping userinfo, fail fast if host part is empty.
>> - `HostPortrange`: add guards for null/empty input and leading ':' (port without host).
>> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` permission path is gone).
>>
>> **Compatibility**
>> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, now `IllegalArgumentException`. Valid inputs unaffected.
>>
>> **Testing**
>> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` verifies `IllegalArgumentException` for malformed authorities and success for valid ones.
>
> Oumaiyma Intissar has refreshed the contents of this pull request, and previous commits have been removed. The incremental views will show differences compared to the previous content of the PR. The pull request contains one new commit since the last revision:
>
> 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode
Looks fine.
-------------
Marked as reviewed by michaelm (Reviewer).
PR Review: https://git.openjdk.org/jdk/pull/27896#pullrequestreview-3478581338
More information about the net-dev
mailing list