8367049: URLPermission.<init> throws StringIndexOutOfBoundsException in avm mode

[OumaIntissar]

Constructing URLPermission with an empty/missing host in the authority (e.g., "http:///path") could throw StringIndexOutOfBoundsException.

Problem
Empty or malformed authorities reach HostPortrange, which does charAt(0) without checking, causing StringIndexOutOfBoundsException.

Fix

• URLPermission.Authority: after stripping userinfo, fail fast if host part is empty.
• HostPortrange: add guards for null/empty input and leading ':' (port without host).
• No HttpURLConnection changes needed in JDK 26 (the SecurityManager permission path is gone).

Compatibility
Only affects malformed inputs: previously StringIndexOutOfBoundsException, now IllegalArgumentException. Valid inputs unaffected.

Testing
New jtreg test: test/jdk/java/net/URLPermission/EmptyAuthorityTest.java verifies IllegalArgumentException for malformed authorities and success for valid ones.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Issue

• JDK-8367049: URLPermission.<init> throws StringIndexOutOfBoundsException in avm mode (Bug - P5)

Reviewers

• Sean Coffey (@coffeys - Reviewer) Review applies to 1d28e6fd
• Michael McMahon (@Michael-Mc-Mahon - Reviewer)
• Daniel Fuchs (@dfuch - Reviewer)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/27896/head:pull/27896
$ git checkout pull/27896

Update a local copy of the PR:
$ git checkout pull/27896
$ git pull https://git.openjdk.org/jdk.git pull/27896/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 27896

View PR using the GUI difftool:
$ git pr show -t 27896

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/27896.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

Hi @OumaIntissar, welcome to this OpenJDK project and thanks for contributing!

We do not recognize you as Contributor and need to ensure you have signed the Oracle Contributor Agreement (OCA). If you have not signed the OCA, please follow the instructions. Please fill in your GitHub username in the "Username" field of the application. Once you have signed the OCA, please let us know by writing /signed in a comment in this pull request.

If you already are an OpenJDK Author, Committer or Reviewer, please click here to open a new issue so that we can record that fact. Please use "Add GitHub user OumaIntissar" as summary for the issue.

If you are contributing this work on behalf of your employer and your employer has signed the OCA, please let us know by writing /covered in a comment in this pull request.

[openjdk]

@OumaIntissar This change now passes all automated pre-integration checks.

ℹ️ This project also has non-automated pre-integration requirements. Please see the file CONTRIBUTING.md for details.

After integration, the commit message for the final commit will be:

8367049: URLPermission.<init> throws StringIndexOutOfBoundsException in avm mode

Reviewed-by: michaelm, dfuchs, coffeys

You can use pull request commands such as /summary, /contributor and /issue to adjust it as needed.

At the time when this comment was updated there had been 5 new commits pushed to the master branch:

• e439909: 8372292: Remove redundant "throws ConfigException"
• f912772: 8372290: jpackage test lib improvements
• 41e0017: 8372269: Parallel: Remove unused ParallelScavengeHeap::base
• ... and 2 more: https://git.openjdk.org/jdk/compare/30410fe265d8d32fb41bae88ab882115271cdf75...master

As there are no conflicts, your changes will automatically be rebased on top of these commits when integrating. If you prefer to avoid this automatic rebasing, please check the documentation for the /integrate command for further details.

As you do not have Committer status in this project an existing Committer must agree to sponsor your change. Possible candidates are the reviewers of this PR (@coffeys, @Michael-Mc-Mahon, @dfuch) but any other Committer may sponsor as well.

➡️ To flag this PR as ready for integration with the above commit message, type /integrate in a new comment. (Afterwards, your sponsor types /sponsor in a new comment to perform the integration).

[openjdk]

@OumaIntissar The following label will be automatically applied to this pull request:

• net

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[OumaIntissar]

/covered

[bridgekeeper]

Thank you! Please allow for a few business days to verify that your employer has signed the OCA. Also, please note that pull requests that are pending an OCA check will not usually be evaluated, so your patience is appreciated!

[openjdk]

@OumaIntissar Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[mlbridge]

Webrevs

• 06: Full - Incremental (543f2379)
• 05: Full - Incremental (d154b1db)
• 04: Full - Incremental (a62187b4)
• 03: Full - Incremental (409b886a)
• 02: Full - Incremental (17d1c7a7)
• 01: Full - Incremental (a4089913)
• 00: Full (1d28e6fd)

[AlanBateman]

The title on the JBS issue and PR is a bit confusing. Opening a URL connection shouldn't use URLPermission anymore so I think the issue (in main line) is really with code that uses the deprecated URLPermission class directly. Would it be possible to confirm this, and if confirmed, can the JBS issue be renamed?

[coffeys]

Looks fine to me

[openjdk]

⚠️ @OumaIntissar the full name on your profile does not match the author name in this pull requests' HEAD commit. If this pull request gets integrated then the author name from this pull requests' HEAD commit will be used for the resulting commit. If you wish to push a new commit with a different author name, then please run the following commands in a local repository of your personal fork:

$ git checkout 8367049
$ git commit --author='Preferred Full Name <you@example.com>' --allow-empty -m 'Update full name'
$ git push

[dfuch]

I agree with Alan that we should update the JBS issue title to match what is being fixed.
URL.openConnection does not throw in JDK 24 and later. URLPermission still does.
Otherwise the proposed fix looks reasonable.

[OumaIntissar]

The title on the JBS issue and PR is a bit confusing. Opening a URL connection shouldn't use URLPermission anymore so I think the issue (in main line) is really with code that uses the deprecated URLPermission class directly. Would it be possible to confirm this, and if confirmed, can the JBS issue be renamed?

Thank you for your feedback. The issue was reported specifically for JDK 17, so the current JBS issue title accurately reflects the context and version concerned. While the root cause is with URLPermission and HostPortrange (which still exist in the main line) the title needs to remain as is to properly indicate that this is a JDK 17 issue.

The planned approach is to address and fix the issue in the main line first. Once resolved, the fix will then be backported to JDK 17 and other affected releases.

[AlanBateman]

I've renamed the JBS issue as it is too confusing to target main line with commit suggestion URLConnection then it's an issue with the deprecated URLPermission.

[OumaIntissar]

/integrate

[openjdk]

@OumaIntissar This pull request has not yet been marked as ready for integration.

[openjdk]

@OumaIntissar Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[dfuch]

LGTM - please run tier2 before integrating.

[Michael-Mc-Mahon]

Looks fine.

[OumaIntissar]

LGTM - please run tier2 before integrating.

thanks! tier1, tier2 and tier3 are tested and passing well.

[openjdk]

@OumaIntissar Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.

[Michael-Mc-Mahon]

LGTM

[OumaIntissar]

/integrate

[openjdk]

@OumaIntissar
Your change (at version 543f237) is now ready to be sponsored by a Committer.

[coffeys]

/sponsor

[openjdk]

Going to push as commit 5f806e7.
Since your change was applied there have been 6 commits pushed to the master branch:

• 3b1eb76: 8367585: Prevent creation of unrepresentable Utf8Entry
• e439909: 8372292: Remove redundant "throws ConfigException"
• f912772: 8372290: jpackage test lib improvements
• ... and 3 more: https://git.openjdk.org/jdk/compare/30410fe265d8d32fb41bae88ab882115271cdf75...master

Your commit was automatically rebased without conflicts.

[openjdk]

@coffeys @OumaIntissar Pushed as commit 5f806e7.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.