On Mon, 10 Nov 2025 11:50:07 GMT, Oumaiyma Intissar <[email protected]> wrote:
>> Constructing URLPermission with an empty/missing host in the authority >> (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`. >> >> **Problem** >> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` >> without checking, causing `StringIndexOutOfBoundsException`. >> >> **Fix** >> - `URLPermission.Authority`: after stripping userinfo, fail fast if host >> part is empty. >> - `HostPortrange`: add guards for null/empty input and leading ':' (port >> without host). >> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` >> permission path is gone). >> >> **Compatibility** >> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, >> now `IllegalArgumentException`. Valid inputs unaffected. >> >> **Testing** >> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` >> verifies `IllegalArgumentException` for malformed authorities and success >> for valid ones. > > Oumaiyma Intissar has updated the pull request incrementally with one > additional commit since the last revision: > > Remove invalid host check in HostPortrange > > Removed check for leading ':' in host authority. src/java.base/share/classes/java/net/HostPortrange.java line 65: > 63: // Defensive validation first > 64: if (host == null || host.isEmpty()) { > 65: throw new IllegalArgumentException("empty authority"); Hello Oumaiyma, the change overall looks OK to me. However, this error message and the other one feel a bit odd. The variable is called `host` and we throw an "empty authority" here whereas the other place, the variable is called "authority" and we throw a error message which says "empty host". @dfuch do you suggest we switch these error messages? ------------- PR Review Comment: https://git.openjdk.org/jdk/pull/27896#discussion_r2510530643
