Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-8273475

URLStreamHandler class does nor enforce RFC 2396 rules on the userInfo part

    XMLWordPrintable

    Details

    • Subcomponent:
    • CPU:
      generic
    • OS:
      generic

      Description

      A DESCRIPTION OF THE PROBLEM :
      Backslash character is allowed in the userInfo part of the url in java. The behavior is different with what browsers implement (https://example.com\@www.google.com)

      RFC 2396 specifies that:

      userinfo = *( unreserved | escaped |
                               ";" | ":" | "&" | "=" | "+" | "$" | "," )

      back-slash is not a valid character there. In the example above back-slash is allowed and the behavior is different from what is done in the browsers.

      STEPS TO FOLLOW TO REPRODUCE THE PROBLEM :
      When this URL https://example.com\@www.google.com is used in a browser it goes to host example.com. As opposed to the url https://example.com@www.google.com which goes to host www.google.com.
      Java url parsing returns host www.google.com in both cases.



      EXPECTED VERSUS ACTUAL BEHAVIOR :
      EXPECTED -
      Enforce that backslash is not a valid character in userInfo as specified in the RFC.

      ---------- BEGIN SOURCE ----------
      java.net.URL url = new java.net.URL("https://example.com\\@www.google.com/path");
      url.getHost(); // returns www.google.com in the presence of the backslash

      // All browsers go to "example.com" when backslash is present.


      ---------- END SOURCE ----------

      FREQUENCY : always


        Attachments

          Activity

            People

            Assignee:
            dfuchs Daniel Fuchs
            Reporter:
            webbuggrp Webbug Group
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated: