JDK-8029354 : URLPermission. throws llegalArgumentException: Invalid characters in hostname
  • Type: Bug
  • Component: core-libs
  • Sub-Component: java.net
  • Affected Version: 8
  • Priority: P2
  • Status: Closed
  • Resolution: Fixed
  • Submitted: 2013-11-29
  • Updated: 2017-05-17
  • Resolved: 2013-12-09
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availability Release.

To download the current JDK release, click here.
JDK 8 JDK 9
8 b122Fixed 9Fixed
Related Reports
Duplicate :  
JDK-8072064 - toLowerCase() in java.net.HostPortrange fails on underscore character
Relates :  
JDK-8132508 - Bug JDK-8029354 reproduces with underscore in hostname
Description
Starting with jdk8 b117 opening a http(s) connection to a server with username in the URL fails with IllegalArgumentException. An example of the exception is attached.

From debugging the bug in NetBeans when connecting to git https repository:
1) at java.net.HostPortrange.toLowerCase(HostPortrange.java:189)
2) at java.net.HostPortrange.<init>(HostPortrange.java:150)
3) at java.net.URLPermission$Authority.<init>(URLPermission.java:476)
4) at java.net.URLPermission.parseURI(URLPermission.java:446)
5) at java.net.URLPermission.init(URLPermission.java:167)
6) at java.net.URLPermission.<init>(URLPermission.java:163)

6) called as URLPermission("https://ovrabec@bitbucket.org/ovrabec/anagramgame.git/info/refs", "GET:Accept-Encoding,Pragma,User-Agent,Accept")
3) instantiated as URLPermission$Authority("https", "ovrabec@bitbucket.org")
2) finally hostname is incorrectly parsed in HostPortrange.<init> and tries to call toLowerCase(ovrabec@bitbucket.org)

100% reproducible, cannot clone a git repository over https with authentication.

The difference between b116 and b117 is the last step in the stacktrace. While b116 simply called:
> hoststr = hoststr.toLowerCase();
b117 now calls:
> hoststr = HostPortrange.toLowerCase(hoststr);

In both builds the current value of hoststr was "ovrabec@bitbucket.org", the new method cannot handle '@' and throws the exception. According to spec at http://tools.ietf.org/html/rfc3986#section-3.2.1 username may probably contain also other non-ascii characters (encoded as %XX i guess) so permitting only '@' may not be sufficient. JDK should probably correctly parse just the host name and skip the userinfo part of the URI.

Original NetBeans bug:
https://netbeans.org/bugzilla/show_bug.cgi?id=238843
Comments
Release team: Approved for fixing
06-12-2013
SQE approves this critical request. The impact on customers for this bug is significant. The fix is well covered with regression tests.
04-12-2013
It breaks netbeans (and probably eclipse) users of GIT repositories because the userinfo is used in the Java implementation of the GIT client. Spec change is required to fix this also. So, would in theory have to wait until JDK 9 if not fixed for 8 GA. Fix is low risk.
04-12-2013
This really needs to be fixed in 8 before GA, otherwise we risk breaking anyone doing HTTP with a security manager that happens to have a username in the URL.
04-12-2013
Even though userinfo is not a valid component of Http URLs we have supported it in the other http related classes, URL, URI, HttpURLConnection etc. In particular the http protocol handler ignores it because there is no mechanism for it to be sent to the server. The normal form of request URI in a http request is the abs_path form which exlcudes the whole authority component. This bug seems to arise from a usage in netbeans, specifically the GIT client (implemented by JGIT) which stores user credentials in the URI and presumably converting these to actual HTTP authentication credentials if required by a 401 server response. The solution we are adopting is to strip out the userinfo from the URLPermission at object construction. This effectively means the field is ignored and has no impact on any other methods (implies, equals, hashCode etc)
02-12-2013
Spec and implementation does not account for userinfo component of passed in URI. Both will have to change to fix this.
29-11-2013
HostPortRange.toLowerCase() checks for valid characters and throws IAE if characters not alphanumeric plus '-' or '.' Clearly '@' should be allowed as well. So, we will have to review the list of allowable characters.
29-11-2013