Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8213889

URLPermission with query or fragment behaves incorrectly

    Details

    • Type: CSR
    • Status: Closed
    • Priority: P4
    • Resolution: Approved
    • Fix Version/s: 12
    • Component/s: core-libs
    • Labels:
      None
    • Subcomponent:
    • Compatibility Kind:
      behavioral
    • Compatibility Risk:
      minimal
    • Compatibility Risk Description:
      Hide
      Any URLPermission previously created with query or fragment components will behave differently now. However, permission checks would have failed with such permissions previously. Also, the places in the JDK where we create URLPermissions to test against security policies do not include queries or fragments as part of the URL string. So it is not likely that anyone is relying on this behavior.
      Show
      Any URLPermission previously created with query or fragment components will behave differently now. However, permission checks would have failed with such permissions previously. Also, the places in the JDK where we create URLPermissions to test against security policies do not include queries or fragments as part of the URL string. So it is not likely that anyone is relying on this behavior.
    • Interface Kind:
      Java API
    • Scope:
      SE

      Description

      Summary

      Spec clarification for URLPermission in the case where an instance is created with a query and/or fragment in the url string.

      Problem

      java.net.URLPermission is specified to accept only the scheme, authority and path components of given URLs. The intent (and wording of the spec) was that other components would be ignored. However, the implementation is not currently ignoring it, which is a bug. As part of fixing the bug we would like to tighten up the spec to specify the components that we are ignoring, to distinguish them from URLs that are invalid.

      Solution

      A small change to the class docs for URLPermission.

      Specification

      Change the following in the class level apidoc for java.net.URLPermission.

      diff -r 04d7e790aa2e src/java.base/share/classes/java/net/URLPermission.java
      --- a/src/java.base/share/classes/java/net/URLPermission.java   Fri Nov 09 10:38:07 2018 +0100
      +++ b/src/java.base/share/classes/java/net/URLPermission.java   Tue Nov 13 16:28:06 2018 +0000
      @@ -41,7 +41,7 @@
        * <p><b>The url</b><p>
        * The url string has the following expected structure.
        * <pre>
      - *     scheme : // authority [ / path ]
      + *     scheme : // authority [ / path ] [ ignored-query-or-fragment ]
        * </pre>
        * <i>scheme</i> will typically be http or https, but is not restricted by this
        * class.
      @@ -108,6 +108,16 @@
        * {@link #hashCode()} and {@link #implies(Permission)} are case insensitive with respect
        * to these components. If the <i>authority</i> contains a literal IP address,
        * then the address is normalized for comparison. The path component is case sensitive.
      + * <p>
      + * <i>ignored-query-or-fragment</i> refers to any query or fragment which appears after the
      + * path component, and which is ignored by the constructors of this class. It is defined as:
      + * <pre>
      + *     ignored-query-or-fragment = [ ? query ] [ # fragment ]
      + * </pre>
      + * where <i>query</i> and <i>fragment</i> are as defined in
      + * <a href="http://www.ietf.org/rfc/rfc2296.txt">RFC2396</a>. {@link #getName()} therefore returns
      + * only the <i>scheme</i>, <i>authority</i> and <i>path</i> components of the url string that
      + * the permission was created with.
        * <p><b>The actions string</b><p>
        * The actions string of a URLPermission is a concatenation of the <i>method list</i>
        * and the <i>request headers list</i>. These are lists of the permitted request

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                michaelm Michael McMahon
                Reporter:
                michaelm Michael McMahon
                Reviewed By:
                Daniel Fuchs
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: