On Mon, 20 Oct 2025 12:12:56 GMT, Oumaiyma Intissar <[email protected]> wrote:
> Constructing URLPermission with an empty/missing host in the authority (e.g., > `"http:///path"`) could throw `StringIndexOutOfBoundsException`. > > **Problem** > Empty or malformed authorities reach HostPortrange, which does `charAt(0)` > without checking, causing `StringIndexOutOfBoundsException`. > > **Fix** > - `URLPermission.Authority`: after stripping userinfo, fail fast if host part > is empty. > - `HostPortrange`: add guards for null/empty input and leading ':' (port > without host). > - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` > permission path is gone). > > **Compatibility** > Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, > now `IllegalArgumentException`. Valid inputs unaffected. > > **Testing** > New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` > verifies `IllegalArgumentException` for malformed authorities and success for > valid ones. This pull request has now been integrated. Changeset: 5f806e7f Author: Oumaiyma Intissar <[email protected]> Committer: Sean Coffey <[email protected]> URL: https://git.openjdk.org/jdk/commit/5f806e7f8b66c14954a07005be3bceb2f812fbff Stats: 76 lines in 3 files changed: 76 ins; 0 del; 0 mod 8367049: URLPermission.<init> throws StringIndexOutOfBoundsException in avm mode Reviewed-by: michaelm, dfuchs, coffeys ------------- PR: https://git.openjdk.org/jdk/pull/27896
