8296676: Improve String platform support

Reviewed-by: aefimov, dfuchs
2025-08-27 23:04:50 +02:00 · 2022-12-21 10:04:07 +00:00 · 2022-12-21 10:04:07 +00:00 · ec119716e5
commit ec119716e5
parent 5ec0120152
2 changed files with 35 additions and 2 deletions
--- a/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+++ b/src/java.base/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
@ -2359,7 +2359,8 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
     * the connection.
     */
    @SuppressWarnings({"removal","fallthrough"})
-    private AuthenticationInfo getHttpProxyAuthentication(AuthenticationHeader authhdr) {
+    private AuthenticationInfo getHttpProxyAuthentication(AuthenticationHeader authhdr)
+        throws IOException {

        assert isLockHeldByCurrentThread();

@ -2460,6 +2461,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                                                authenticator,
                                                host, null, port, url.getProtocol(),
                                                "", scheme, url, RequestorType.PROXY);
+                            validateNTLMCredentials(a);
                        }
                        /* If we are not trying transparent authentication then
                         * we need to have a PasswordAuthentication instance. For
@ -2529,7 +2531,8 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
     * preferred.
     */
    @SuppressWarnings("fallthrough")
-    private AuthenticationInfo getServerAuthentication(AuthenticationHeader authhdr) {
+    private AuthenticationInfo getServerAuthentication(AuthenticationHeader authhdr)
+        throws IOException {

        // Only called from getInputStream0
        assert isLockHeldByCurrentThread();
@ -2641,6 +2644,7 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                                authenticator,
                                url.getHost(), addr, port, url.getProtocol(),
                                "", scheme, url, RequestorType.SERVER);
+                            validateNTLMCredentials(a);
                        }

                        /* If we are not trying transparent authentication then
@ -3997,6 +4001,27 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
    private static URL newURL(URL context, String spec) throws MalformedURLException {
        return new URL(context, spec);
    }
+
+    // ensure there are no null characters in username or password
+    private static void validateNTLMCredentials(PasswordAuthentication pw)
+        throws IOException {
+
+        if (pw == null) {
+            return;
+        }
+        char[] password = pw.getPassword();
+        if (password != null) {
+            for (int i=0; i<password.length; i++) {
+                if (password[i] == 0) {
+                    throw new IOException("NUL character not allowed in NTLM password");
+                }
+            }
+        }
+        String username = pw.getUserName();
+        if (username != null && username.indexOf(0) != -1) {
+            throw new IOException("NUL character not allowed in NTLM username or domain");
+        }
+    }
 }

 /** An input stream that just returns EOF.  This is for