On Tue, 18 Nov 2025 14:21:42 GMT, Oumaiyma Intissar <[email protected]> wrote:
>> Constructing URLPermission with an empty/missing host in the authority >> (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`. >> >> **Problem** >> Empty or malformed authorities reach HostPortrange, which does `charAt(0)` >> without checking, causing `StringIndexOutOfBoundsException`. >> >> **Fix** >> - `URLPermission.Authority`: after stripping userinfo, fail fast if host >> part is empty. >> - `HostPortrange`: add guards for null/empty input and leading ':' (port >> without host). >> - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` >> permission path is gone). >> >> **Compatibility** >> Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, >> now `IllegalArgumentException`. Valid inputs unaffected. >> >> **Testing** >> New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` >> verifies `IllegalArgumentException` for malformed authorities and success >> for valid ones. > > Oumaiyma Intissar has refreshed the contents of this pull request, and > previous commits have been removed. The incremental views will show > differences compared to the previous content of the PR. The pull request > contains one new commit since the last revision: > > 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm > mode Looks fine. ------------- Marked as reviewed by michaelm (Reviewer). PR Review: https://git.openjdk.org/jdk/pull/27896#pullrequestreview-3478581338
