P4
An incomplete input validation in the URL class can cause an IOOBE to be
thrown from the openConnection method, where according to the API
documentation no exception is expected to be thrown.
A jshell PoC:
jshell> new URL("ftp://.:%@")
$1 ==> ftp://.:%@
jshell> $1.openConnection()
| Exception java.lang.IndexOutOfBoundsException
| at Integer.parseInt (Integer.java:706)
| at ParseUtil.unescape (ParseUtil.java:163)
| at ParseUtil.decode (ParseUtil.java:199)
| at FtpURLConnection.<init> (FtpURLConnection.java:204)
| at Handler.openConnection (Handler.java:61)
| at Handler.openConnection (Handler.java:56)
| at URL.openConnection (URL.java:1126)
| at (#2:1)
thrown from the openConnection method, where according to the API
documentation no exception is expected to be thrown.
A jshell PoC:
jshell> new URL("ftp://.:%@")
$1 ==> ftp://.:%@
jshell> $1.openConnection()
| Exception java.lang.IndexOutOfBoundsException
| at Integer.parseInt (Integer.java:706)
| at ParseUtil.unescape (ParseUtil.java:163)
| at ParseUtil.decode (ParseUtil.java:199)
| at FtpURLConnection.<init> (FtpURLConnection.java:204)
| at Handler.openConnection (Handler.java:61)
| at Handler.openConnection (Handler.java:56)
| at URL.openConnection (URL.java:1126)
| at (#2:1)
