P4
The JavaRuntimeURLConnection allows "jrt:" URLs of the form:
jrt:/<module>/<resource-name>
to be used to return resources for the currently running JVM.
The code handling URL parsing in JavaRuntimeURLConnection behaves inconsistently with respect to percent encoding, which both:
1. Allows for some quite confusingly obfuscated URLs to be used.
2. Disallows callers from percent escaping non-ASCII characters in module names.
Additionally, the code also silently permits URLs with authority, query and fragments, which can lead to a lot of opportunity for obfuscation of these URLs.
We should unify the handling of URLs, make clearer rules about where percent encoding is allowed, and (probably) start rejecting URLs with unexpected extra parts like fragments etc.
jrt:/<module>/<resource-name>
to be used to return resources for the currently running JVM.
The code handling URL parsing in JavaRuntimeURLConnection behaves inconsistently with respect to percent encoding, which both:
1. Allows for some quite confusingly obfuscated URLs to be used.
2. Disallows callers from percent escaping non-ASCII characters in module names.
Additionally, the code also silently permits URLs with authority, query and fragments, which can lead to a lot of opportunity for obfuscation of these URLs.
We should unify the handling of URLs, make clearer rules about where percent encoding is allowed, and (probably) start rejecting URLs with unexpected extra parts like fragments etc.