8230407: SocketPermission and FilePermission action list allows leading comma

Co-authored-by: Chris Hegarty <chris.hegarty@oracle.com> Reviewed-by: chegar
2025-08-27 14:54:52 +02:00 · 2019-10-16 14:32:17 -07:00 · 2019-10-16 14:32:17 -07:00 · 31afddccae
commit 31afddccae
parent 7e6ebde13c
4 changed files with 94 additions and 38 deletions
--- a/src/java.base/share/classes/java/net/SocketPermission.java
+++ b/src/java.base/share/classes/java/net/SocketPermission.java
@ -287,6 +287,11 @@ public final class SocketPermission extends Permission
     * @param host the hostname or IP address of the computer, optionally
     * including a colon followed by a port or port range.
     * @param action the action string.
+     *
+     * @throws NullPointerException if any parameters are null
+     * @throws IllegalArgumentException if the format of {@code host} is
+     *         invalid, or if the {@code action} string is empty, malformed, or
+     *         contains an action other than the specified possible actions
     */
    public SocketPermission(String host, String action) {
        super(getHost(host));
@ -589,14 +594,15 @@ public final class SocketPermission extends Permission
            // like "ackbarfaccept".  Also, skip to the comma.
            boolean seencomma = false;
            while (i >= matchlen && !seencomma) {
-                switch(a[i-matchlen]) {
-                case ',':
-                    seencomma = true;
-                    break;
+                switch (c = a[i-matchlen]) {
                case ' ': case '\r': case '\n':
                case '\f': case '\t':
                    break;
                default:
+                    if (c == ',' && i > matchlen) {
+                        seencomma = true;
+                        break;
+                    }
                    throw new IllegalArgumentException(
                            "invalid permission: " + action);
                }