stan/jdk-24
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

8213616: URLPermission with query or fragment behaves incorrectly

Browse Source 
Reviewed-by: chegar, dfuchs
This commit is contained in:
Michael McMahon 2018-11-15 11:26:46 +00:00
parent 8ed728c905
commit 1b34ea35c9
2 changed files with 36 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/java.base/share/classes/java/net/URLPermission.java
View File

@ -41,7 +41,7 @@ import java.security.Permission;
* <p><b>The url</b><p>
* The url string has the following expected structure.
* <pre>
* scheme : // authority [ / path ]
* scheme : // authority [ / path ] [ ignored-query-or-fragment ]
* </pre>
* <i>scheme</i> will typically be http or https, but is not restricted by this
* class.
@ -108,6 +108,16 @@ import java.security.Permission;
* {@link #hashCode()} and {@link #implies(Permission)} are case insensitive with respect
* to these components. If the <i>authority</i> contains a literal IP address,
* then the address is normalized for comparison. The path component is case sensitive.
* <p>
* <i>ignored-query-or-fragment</i> refers to any query or fragment which appears after the
* path component, and which is ignored by the constructors of this class. It is defined as:
* <pre>
* ignored-query-or-fragment = [ ? query ] [ # fragment ]
* </pre>
* where <i>query</i> and <i>fragment</i> are as defined in
* <a href="http://www.ietf.org/rfc/rfc2296.txt">RFC2396</a>. {@link #getName() getName()} therefore returns
* only the <i>scheme</i>, <i>authority</i> and <i>path</i> components of the url string that
* the permission was created with.
* <p><b>The actions string</b><p>
* The actions string of a URLPermission is a concatenation of the <i>method list</i>
* and the <i>request headers list</i>. These are lists of the permitted request
@ -167,10 +177,26 @@ public final class URLPermission extends Permission {
* @exception IllegalArgumentException if url is invalid or if actions contains white-space.
*/
public URLPermission(String url, String actions) {
super(url);
super(normalize(url));
init(actions);
}
/**
* Remove any query or fragment from url string
*/
private static String normalize(String url) {
int index = url.indexOf('?');
if (index >= 0) {
url = url.substring(0, index);
} else {
index = url.indexOf('#');
if (index >= 0) {
url = url.substring(0, index);
}
}
return url;
}
private void init(String actions) {
parseURI(getName());
int colon = actions.indexOf(':');

9
test/jdk/java/net/URLPermission/URLPermissionTest.java
View File

@ -253,7 +253,14 @@ public class URLPermissionTest {
imtest("http://x/", "http://X/", true),
imtest("http://x/", "http://x/", true),
imtest("http://X/", "http://X/", true),
imtest("http://foo/bar", "https://foo/bar", false)
imtest("http://foo/bar", "https://foo/bar", false),
imtest("http://www.foo.com/*", "http://www.foo.com/#foo", true),
imtest("http://www.foo.com/a/*#foo", "http://www.foo.com/a/b#foo", true),
imtest("http://www.foo.com/a/-", "http://www.foo.com/a/b#foo", true),
imtest("http://www.foo.com/?q1=1&q2=2#foo", "http://www.foo.com/?q1=1&q2=2#bar", true),
imtest("http://www.foo.com/", "http://www.foo.com/?q1=1&q2=2#bar", true),
imtest("http://www.foo.com/", "http://www.foo.com?q1=1&q2=2#bar", false),
imtest("http://www.foo.com", "http://www.foo.com?q1=1&q2=2#bar", true)
};
// new functionality