On Mon, 20 Oct 2025 12:12:56 GMT, Oumaiyma Intissar <[email protected]> wrote:
> Constructing URLPermission with an empty/missing host in the authority (e.g., > `"http:///path"`) could throw `StringIndexOutOfBoundsException`. > > **Problem** > Empty or malformed authorities reach HostPortrange, which does `charAt(0)` > without checking, causing `StringIndexOutOfBoundsException`. > > **Fix** > - `URLPermission.Authority`: after stripping userinfo, fail fast if host part > is empty. > - `HostPortrange`: add guards for null/empty input and leading ':' (port > without host). > - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` > permission path is gone). > > **Compatibility** > Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, > now `IllegalArgumentException`. Valid inputs unaffected. > > **Testing** > New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` > verifies `IllegalArgumentException` for malformed authorities and success for > valid ones. Looks fine to me ------------- Marked as reviewed by coffeys (Reviewer). PR Review: https://git.openjdk.org/jdk/pull/27896#pullrequestreview-3417395498
