On Tue, 4 Nov 2025 17:37:24 GMT, Oumaiyma Intissar <[email protected]> wrote:
>> Constructing URLPermission with an empty/missing host in the authority >> (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`. >> >> **Problem** >> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` >> without checking, causing `StringIndexOutOfBoundsException`. >> >> **Fix** >> - `URLPermission.Authority`: after stripping userinfo, fail fast if host >> part is empty. >> - `HostPortrange`: add guards for null/empty input and leading ':' (port >> without host). >> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` >> permission path is gone). >> >> **Compatibility** >> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, >> now `IllegalArgumentException`. Valid inputs unaffected. >> >> **Testing** >> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` >> verifies `IllegalArgumentException` for malformed authorities and success >> for valid ones. > > Oumaiyma Intissar has updated the pull request incrementally with one > additional commit since the last revision: > > Fix missing newline at end of EmptyAuthorityTest.java > > Add missing newline at the end of the file. src/java.base/share/classes/java/net/HostPortrange.java line 71: > 69: if (host.charAt(0) == ':') { > 70: throw new IllegalArgumentException("missing host in > authority: " + host); > 71: } Throwing if the host part is not present is a different fix - and a change of behavior. It seems it has always been possible to construct an URLPermission of the form: `new URLPermission("http://:999/foo";);` I am not sure what that would be useful for - but I'd suggest we track that with another issue if you want to pursue it. I'd suggest to revert lines 68-71 ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27896#discussion_r2493875961
