8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode

[OumaIntissar]

Constructing URLPermission with an empty/missing host in the authority (e.g., "http:///path") could throw StringIndexOutOfBoundsException.

Problem
Empty or malformed authorities reach HostPortrange, which does charAt(0) without checking, causing StringIndexOutOfBoundsException.

Fix

• URLPermission.Authority: after stripping userinfo, fail fast if host part is empty.
• HostPortrange: add guards for null/empty input and leading ':' (port without host).
• No HttpURLConnection changes needed in JDK 26 (the SecurityManager permission path is gone).

Compatibility
Only affects malformed inputs: previously StringIndexOutOfBoundsException, now IllegalArgumentException. Valid inputs unaffected.

Testing
New jtreg test: test/jdk/java/net/URLPermission/EmptyAuthorityTest.java verifies IllegalArgumentException for malformed authorities and success for valid ones.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Error

 ⚠️ OCA signatory status must be verified

Issue

• JDK-8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode (Bug - P5)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/27896/head:pull/27896
$ git checkout pull/27896

Update a local copy of the PR:
$ git checkout pull/27896
$ git pull https://git.openjdk.org/jdk.git pull/27896/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 27896

View PR using the GUI difftool:
$ git pr show -t 27896

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/27896.diff

[bridgekeeper]

Hi @OumaIntissar, welcome to this OpenJDK project and thanks for contributing!

We do not recognize you as Contributor and need to ensure you have signed the Oracle Contributor Agreement (OCA). If you have not signed the OCA, please follow the instructions. Please fill in your GitHub username in the "Username" field of the application. Once you have signed the OCA, please let us know by writing /signed in a comment in this pull request.

If you already are an OpenJDK Author, Committer or Reviewer, please click here to open a new issue so that we can record that fact. Please use "Add GitHub user OumaIntissar" as summary for the issue.

If you are contributing this work on behalf of your employer and your employer has signed the OCA, please let us know by writing /covered in a comment in this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@OumaIntissar The following label will be automatically applied to this pull request:

• net

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[OumaIntissar]

/covered

[bridgekeeper]

Thank you! Please allow for a few business days to verify that your employer has signed the OCA. Also, please note that pull requests that are pending an OCA check will not usually be evaluated, so your patience is appreciated!

[openjdk]

@OumaIntissar Please do not rebase or force-push to an active PR as it invalidates existing review comments. Note for future reference, the bots always squash all changes into a single commit automatically as part of the integration. See OpenJDK Developers’ Guide for more information.