On Fri, 10 Jun 2022 12:16:17 GMT, Matthias Baesken <mbaes...@openjdk.org> wrote:
> When trying to construct an LdapURL object with a bad input string (in this > example the _ in ad_jbs is causing issues), and not using > the backward compatibility flag -Dcom.sun.jndi.ldapURLParsing="legacy" we run > into the exception below : > > import com.sun.jndi.ldap.LdapURL; > .... > String url = "ldap://ad_jbs.ttt.net:389/xyz"; // bad input string containing _ > LdapURL ldapUrl = new LdapURL(url); > > > java --add-opens java.naming/com.sun.jndi.ldap=ALL-UNNAMED LdapParseUrlTest > Exception in thread "main" javax.naming.NamingException: Cannot parse url: > ldap://ad_jbs.ttt.net:389/xyz [Root exception is > java.net.MalformedURLException: unsupported authority: ad_jbs.ttt.net:389] > at java.naming/com.sun.jndi.ldap.LdapURL.<init>(LdapURL.java:115) > at LdapParseUrlTest.main(LdapParseUrlTest.java:9) > Caused by: java.net.MalformedURLException: unsupported authority: > ad_jbs.ttt.net:389 > at java.naming/com.sun.jndi.toolkit.url.Uri.parseCompat(Uri.java:367) > at java.naming/com.sun.jndi.toolkit.url.Uri.parse(Uri.java:230) > at java.naming/com.sun.jndi.toolkit.url.Uri.init(Uri.java:174) > at java.naming/com.sun.jndi.ldap.LdapURL.<init>(LdapURL.java:105) > > I would like to add the host and port info to the exception (in the example > it is host:port of URI:null:-1] ) so that it is directly visible that the > input caused the construction of a URI > with "special"/problematic host and port values. `URISyntaxException`/`MalformedURLException` usually contains the whole URL - so in this case, because we're parsing a URL, I believe the added information would not leak more sensitive data - especially since I'd expect URI.getHost() to be always `null` and `URI.getPort()` to be always `-1` in this case. That is - this exception is thrown when the authority is parsed as a reg_name, as opposed to server-base, because the provided host name (or what looks like a host name) contains a character that is not allowed by java.net.URI in a host name. jshell> URI.create("ldap://a_b.com:389/foo"); $1 ==> ldap://a_b.com:389/foo jshell> $1.getAuthority() $2 ==> "a_b.com:389" jshell> $1.getHost() $3 ==> null As a point of comparison, here is what URISyntaxException looks like if the authority contains a character which is not legal at all in authority: jshell> new URI("ldap://a_%b.com:389/foo"); | Exception java.net.URISyntaxException: Malformed escape pair at index 9: ldap://a_%b.com:389/foo | at URI$Parser.fail (URI.java:2973) I agree we should wait for someone from security-dev to chime in though. I might question whether the added "null:-1" information is really helpful, or just as confusing however. ------------- PR: https://git.openjdk.org/jdk/pull/9126