From 1b34ea35c91dd266026300547200f0960ec468f2 Mon Sep 17 00:00:00 2001 From: Michael McMahon Date: Thu, 15 Nov 2018 11:26:46 +0000 Subject: [PATCH] 8213616: URLPermission with query or fragment behaves incorrectly Reviewed-by: chegar, dfuchs --- .../share/classes/java/net/URLPermission.java | 30 +++++++++++++++++-- .../net/URLPermission/URLPermissionTest.java | 9 +++++- 2 files changed, 36 insertions(+), 3 deletions(-) diff --git a/src/java.base/share/classes/java/net/URLPermission.java b/src/java.base/share/classes/java/net/URLPermission.java index e925b8697b2..33751937858 100644 --- a/src/java.base/share/classes/java/net/URLPermission.java +++ b/src/java.base/share/classes/java/net/URLPermission.java @@ -41,7 +41,7 @@ import java.security.Permission; *

The url

* The url string has the following expected structure. *

- *     scheme : // authority [ / path ]
+ *     scheme : // authority [ / path ] [ ignored-query-or-fragment ]
  * 
* scheme will typically be http or https, but is not restricted by this * class. @@ -108,6 +108,16 @@ import java.security.Permission; * {@link #hashCode()} and {@link #implies(Permission)} are case insensitive with respect * to these components. If the authority contains a literal IP address, * then the address is normalized for comparison. The path component is case sensitive. + *

+ * ignored-query-or-fragment refers to any query or fragment which appears after the + * path component, and which is ignored by the constructors of this class. It is defined as: + *

+ *     ignored-query-or-fragment = [ ? query ] [ # fragment ]
+ * 
+ * where query and fragment are as defined in + * RFC2396. {@link #getName() getName()} therefore returns + * only the scheme, authority and path components of the url string that + * the permission was created with. *

The actions string

* The actions string of a URLPermission is a concatenation of the method list * and the request headers list. These are lists of the permitted request @@ -167,10 +177,26 @@ public final class URLPermission extends Permission { * @exception IllegalArgumentException if url is invalid or if actions contains white-space. */ public URLPermission(String url, String actions) { - super(url); + super(normalize(url)); init(actions); } + /** + * Remove any query or fragment from url string + */ + private static String normalize(String url) { + int index = url.indexOf('?'); + if (index >= 0) { + url = url.substring(0, index); + } else { + index = url.indexOf('#'); + if (index >= 0) { + url = url.substring(0, index); + } + } + return url; + } + private void init(String actions) { parseURI(getName()); int colon = actions.indexOf(':'); diff --git a/test/jdk/java/net/URLPermission/URLPermissionTest.java b/test/jdk/java/net/URLPermission/URLPermissionTest.java index d445da147c7..b170850c702 100644 --- a/test/jdk/java/net/URLPermission/URLPermissionTest.java +++ b/test/jdk/java/net/URLPermission/URLPermissionTest.java @@ -253,7 +253,14 @@ public class URLPermissionTest { imtest("http://x/", "http://X/", true), imtest("http://x/", "http://x/", true), imtest("http://X/", "http://X/", true), - imtest("http://foo/bar", "https://foo/bar", false) + imtest("http://foo/bar", "https://foo/bar", false), + imtest("http://www.foo.com/*", "http://www.foo.com/#foo", true), + imtest("http://www.foo.com/a/*#foo", "http://www.foo.com/a/b#foo", true), + imtest("http://www.foo.com/a/-", "http://www.foo.com/a/b#foo", true), + imtest("http://www.foo.com/?q1=1&q2=2#foo", "http://www.foo.com/?q1=1&q2=2#bar", true), + imtest("http://www.foo.com/", "http://www.foo.com/?q1=1&q2=2#bar", true), + imtest("http://www.foo.com/", "http://www.foo.com?q1=1&q2=2#bar", false), + imtest("http://www.foo.com", "http://www.foo.com?q1=1&q2=2#bar", true) }; // new functionality