On Mon, 20 Oct 2025 12:12:56 GMT, Oumaiyma Intissar <[email protected]> wrote:
> Constructing URLPermission with an empty/missing host in the authority (e.g., > `"http:///path"`) could throw `StringIndexOutOfBoundsException`. > > **Problem** > Empty or malformed authorities reach HostPortrange, which does `charAt(0)` > without checking, causing `StringIndexOutOfBoundsException`. > > **Fix** > - `URLPermission.Authority`: after stripping userinfo, fail fast if host part > is empty. > - `HostPortrange`: add guards for null/empty input and leading ':' (port > without host). > - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` > permission path is gone). > > **Compatibility** > Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, > now `IllegalArgumentException`. Valid inputs unaffected. > > **Testing** > New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` > verifies `IllegalArgumentException` for malformed authorities and success for > valid ones. I agree with Alan that we should update the JBS issue title to match what is being fixed. `URL.openConnection` does not throw in JDK 24 and later. `URLPermission` still does. Otherwise the proposed fix looks reasonable. ------------- PR Comment: https://git.openjdk.org/jdk/pull/27896#issuecomment-3487087557
