On Tue, 4 Nov 2025 17:37:24 GMT, Oumaiyma Intissar <[email protected]> wrote:
>> Constructing URLPermission with an empty/missing host in the authority >> (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`. >> >> **Problem** >> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` >> without checking, causing `StringIndexOutOfBoundsException`. >> >> **Fix** >> - `URLPermission.Authority`: after stripping userinfo, fail fast if host >> part is empty. >> - `HostPortrange`: add guards for null/empty input and leading ':' (port >> without host). >> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` >> permission path is gone). >> >> **Compatibility** >> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, >> now `IllegalArgumentException`. Valid inputs unaffected. >> >> **Testing** >> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` >> verifies `IllegalArgumentException` for malformed authorities and success >> for valid ones. > > Oumaiyma Intissar has updated the pull request incrementally with one > additional commit since the last revision: > > Fix missing newline at end of EmptyAuthorityTest.java > > Add missing newline at the end of the file. I've renamed the JBS issue as it is too confusing to target main line with commit suggestion URLConnection then it's an issue with the deprecated URLPermission. ------------- PR Comment: https://git.openjdk.org/jdk/pull/27896#issuecomment-3487341152
