changeset 53538:a2413ed39eff

8213616: URLPermission with query or fragment behaves incorrectly Reviewed-by: chegar, dfuchs
author michaelm
date Thu, 15 Nov 2018 11:26:46 +0000
parents 1a534c7926cc
children c02aa8873ff2
files src/java.base/share/classes/java/net/URLPermission.java test/jdk/java/net/URLPermission/URLPermissionTest.java
diffstat 2 files changed, 36 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/java.base/share/classes/java/net/URLPermission.java	Thu Nov 15 11:10:04 2018 +0100
+++ b/src/java.base/share/classes/java/net/URLPermission.java	Thu Nov 15 11:26:46 2018 +0000
@@ -41,7 +41,7 @@
  * <p><b>The url</b><p>
  * The url string has the following expected structure.
  * <pre>
- *     scheme : // authority [ / path ]
+ *     scheme : // authority [ / path ] [ ignored-query-or-fragment ]
  * </pre>
  * <i>scheme</i> will typically be http or https, but is not restricted by this
  * class.
@@ -108,6 +108,16 @@
  * {@link #hashCode()} and {@link #implies(Permission)} are case insensitive with respect
  * to these components. If the <i>authority</i> contains a literal IP address,
  * then the address is normalized for comparison. The path component is case sensitive.
+ * <p>
+ * <i>ignored-query-or-fragment</i> refers to any query or fragment which appears after the
+ * path component, and which is ignored by the constructors of this class. It is defined as:
+ * <pre>
+ *     ignored-query-or-fragment = [ ? query ] [ # fragment ]
+ * </pre>
+ * where <i>query</i> and <i>fragment</i> are as defined in
+ * <a href="http://www.ietf.org/rfc/rfc2296.txt">RFC2396</a>. {@link #getName() getName()} therefore returns
+ * only the <i>scheme</i>, <i>authority</i> and <i>path</i> components of the url string that
+ * the permission was created with.
  * <p><b>The actions string</b><p>
  * The actions string of a URLPermission is a concatenation of the <i>method list</i>
  * and the <i>request headers list</i>. These are lists of the permitted request
@@ -167,10 +177,26 @@
      * @exception IllegalArgumentException if url is invalid or if actions contains white-space.
      */
     public URLPermission(String url, String actions) {
-        super(url);
+        super(normalize(url));
         init(actions);
     }
 
+    /**
+     * Remove any query or fragment from url string
+     */
+    private static String normalize(String url) {
+        int index = url.indexOf('?');
+        if (index >= 0) {
+            url = url.substring(0, index);
+        } else {
+            index = url.indexOf('#');
+            if (index >= 0) {
+                url = url.substring(0, index);
+            }
+        }
+        return url;
+    }
+
     private void init(String actions) {
         parseURI(getName());
         int colon = actions.indexOf(':');
--- a/test/jdk/java/net/URLPermission/URLPermissionTest.java	Thu Nov 15 11:10:04 2018 +0100
+++ b/test/jdk/java/net/URLPermission/URLPermissionTest.java	Thu Nov 15 11:26:46 2018 +0000
@@ -253,7 +253,14 @@
         imtest("http://x/", "http://X/", true),
         imtest("http://x/", "http://x/", true),
         imtest("http://X/", "http://X/", true),
-        imtest("http://foo/bar", "https://foo/bar", false)
+        imtest("http://foo/bar", "https://foo/bar", false),
+        imtest("http://www.foo.com/*", "http://www.foo.com/#foo", true),
+        imtest("http://www.foo.com/a/*#foo", "http://www.foo.com/a/b#foo", true),
+        imtest("http://www.foo.com/a/-", "http://www.foo.com/a/b#foo", true),
+        imtest("http://www.foo.com/?q1=1&q2=2#foo", "http://www.foo.com/?q1=1&q2=2#bar", true),
+        imtest("http://www.foo.com/", "http://www.foo.com/?q1=1&q2=2#bar", true),
+        imtest("http://www.foo.com/", "http://www.foo.com?q1=1&q2=2#bar", false),
+        imtest("http://www.foo.com", "http://www.foo.com?q1=1&q2=2#bar", true)
     };
 
     // new functionality