On Mon, 10 Nov 2025 11:50:07 GMT, Oumaiyma Intissar <[email protected]> wrote:
>> Constructing URLPermission with an empty/missing host in the authority >> (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`. >> >> **Problem** >> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` >> without checking, causing `StringIndexOutOfBoundsException`. >> >> **Fix** >> - `URLPermission.Authority`: after stripping userinfo, fail fast if host >> part is empty. >> - `HostPortrange`: add guards for null/empty input and leading ':' (port >> without host). >> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` >> permission path is gone). >> >> **Compatibility** >> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, >> now `IllegalArgumentException`. Valid inputs unaffected. >> >> **Testing** >> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` >> verifies `IllegalArgumentException` for malformed authorities and success >> for valid ones. > > Oumaiyma Intissar has updated the pull request incrementally with one > additional commit since the last revision: > > Remove invalid host check in HostPortrange > > Removed check for leading ':' in host authority. Changes requested by michaelm (Reviewer). src/java.base/share/classes/java/net/URLPermission.java line 532: > 530: if (authority == null || authority.isEmpty()) { > 531: throw new IllegalArgumentException("Invalid URL > authority: empty host"); > 532: } Suggestion: if (authority == null || authority.isEmpty()) { throw new IllegalArgumentException("Invalid URL: authority is empty"); } ------------- PR Review: https://git.openjdk.org/jdk/pull/27896#pullrequestreview-3447279412 PR Review Comment: https://git.openjdk.org/jdk/pull/27896#discussion_r2513622303
