Constructing URLPermission with an empty/missing host in the authority (e.g., `"http:///path"`) could throw `StringIndexOutOfBoundsException`.
**Problem** Empty or malformed authorities reach HostPortrange, which does `charAt(0)` without checking, causing `StringIndexOutOfBoundsException`. **Fix** - `URLPermission.Authority`: after stripping userinfo, fail fast if host part is empty. - `HostPortrange`: add guards for null/empty input and leading ':' (port without host). - No `HttpURLConnection` changes needed in JDK 26 (the `SecurityManager` permission path is gone). **Compatibility** Only affects malformed inputs: previously `StringIndexOutOfBoundsException`, now `IllegalArgumentException`. Valid inputs unaffected. **Testing** New jtreg test: `test/jdk/java/net/URLPermission/EmptyAuthorityTest.java` verifies `IllegalArgumentException` for malformed authorities and success for valid ones. ------------- Commit messages: - 8367049: URL.openConnection throws StringIndexOutOfBoundsException in avm mode Changes: https://git.openjdk.org/jdk/pull/27896/files Webrev: https://webrevs.openjdk.org/?repo=jdk&pr=27896&range=00 Issue: https://bugs.openjdk.org/browse/JDK-8367049 Stats: 81 lines in 3 files changed: 81 ins; 0 del; 0 mod Patch: https://git.openjdk.org/jdk/pull/27896.diff Fetch: git fetch https://git.openjdk.org/jdk.git pull/27896/head:pull/27896 PR: https://git.openjdk.org/jdk/pull/27896
