4 files changed, 50 insertions, 5 deletions
diff --git a/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java b/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java
index e560abf9c2..582687ba46 100644
--- a/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java
+++ b/src/share/classes/sun/net/www/protocol/ftp/FtpURLConnection.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1994, 2016, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1994, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -36,6 +36,7 @@ import java.io.BufferedInputStream;
 import java.io.FilterInputStream;
 import java.io.FilterOutputStream;
 import java.io.FileNotFoundException;
+import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.SocketPermission;
 import java.net.UnknownHostException;
@@ -47,6 +48,7 @@ import java.util.StringTokenizer;
 import java.util.Iterator;
 import java.security.Permission;
 import sun.net.NetworkClient;
+import sun.net.util.IPAddressUtil;
 import sun.net.www.MessageHeader;
 import sun.net.www.MeteredStream;
 import sun.net.www.URLConnection;
@@ -155,6 +157,21 @@ public class FtpURLConnection extends URLConnection {
         }
     }
 
+    static URL checkURL(URL u) throws IllegalArgumentException {
+        if (u != null) {
+            if (u.toExternalForm().indexOf('\n') > -1) {
+                Exception mfue = new MalformedURLException("Illegal character in URL");
+                throw new IllegalArgumentException(mfue.getMessage(), mfue);
+            }
+        }
+        String s = IPAddressUtil.checkAuthority(u);
+        if (s != null) {
+            Exception mfue = new MalformedURLException(s);
+            throw new IllegalArgumentException(mfue.getMessage(), mfue);
+        }
+        return u;
+    }
+
     /**
      * Creates an FtpURLConnection from a URL.
      *
@@ -168,7 +185,7 @@ public class FtpURLConnection extends URLConnection {
      * Same as FtpURLconnection(URL) with a per connection proxy specified
      */
     FtpURLConnection(URL url, Proxy p) {
-        super(url);
+        super(checkURL(url));
         instProxy = p;
         host = url.getHost();
         port = url.getPort();
diff --git a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
index 4c5ec78fca..f00060effa 100644
--- a/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
+++ b/src/share/classes/sun/net/www/protocol/http/HttpURLConnection.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1995, 2018, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1995, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -66,6 +66,7 @@ import java.util.HashSet;
 import java.util.HashMap;
 import java.util.Set;
 import sun.net.*;
+import sun.net.util.IPAddressUtil;
 import sun.net.www.*;
 import sun.net.www.http.HttpClient;
 import sun.net.www.http.PosterOutputStream;
@@ -850,8 +851,13 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
                 throw new MalformedURLException("Illegal character in URL");
             }
         }
+        String s = IPAddressUtil.checkAuthority(u);
+        if (s != null) {
+            throw new MalformedURLException(s);
+        }
         return u;
     }
+
     protected HttpURLConnection(URL u, Proxy p, Handler handler)
             throws IOException {
         super(checkURL(u));
@@ -2139,6 +2145,10 @@ public class HttpURLConnection extends java.net.HttpURLConnection {
             } while (retryTunnel < maxRedirects);
 
             if (retryTunnel >= maxRedirects || (respCode != HTTP_OK)) {
+                if (respCode != HTTP_PROXY_AUTH) {
+                    // remove all but authenticate responses
+                    responses.reset();
+                }
                 throw new IOException("Unable to tunnel through proxy."+
                                       " Proxy returns \"" +
                                       statusLine + "\"");
diff --git a/src/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java b/src/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java
index e43a36310a..0186e24725 100644
--- a/src/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java
+++ b/src/share/classes/sun/net/www/protocol/https/HttpsURLConnectionImpl.java
@@ -45,6 +45,7 @@ import java.security.Permission;
 import java.security.Principal;
 import java.util.Map;
 import java.util.List;
+import sun.net.util.IPAddressUtil;
 import sun.net.www.http.HttpClient;
 
 /**
@@ -86,6 +87,10 @@ public class HttpsURLConnectionImpl
                 throw new MalformedURLException("Illegal character in URL");
             }
         }
+        String s = IPAddressUtil.checkAuthority(u);
+        if (s != null) {
+            throw new MalformedURLException(s);
+        }
         return u;
     }
 // For both copies of the file, uncomment one line and comment the other
@@ -333,7 +338,7 @@ public class HttpsURLConnectionImpl
      * @param   key     the keyword by which the request is known
      *                  (e.g., "<code>accept</code>").
      * @param   value  the value associated with it.
-     * @see #getRequestProperties(java.lang.String)
+     * @see #getRequestProperty(java.lang.String)
      * @since 1.4
      */
     public void addRequestProperty(String key, String value) {
diff --git a/src/share/classes/sun/net/www/protocol/jar/Handler.java b/src/share/classes/sun/net/www/protocol/jar/Handler.java
index 8e9f8e3a35..4a3ae7e8ae 100644
--- a/src/share/classes/sun/net/www/protocol/jar/Handler.java
+++ b/src/share/classes/sun/net/www/protocol/jar/Handler.java
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 2011, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 1997, 2019, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -121,6 +121,13 @@ public class Handler extends java.net.URLStreamHandler {
         return h;
     }
 
+    public String checkNestedProtocol(String spec) {
+        if (spec.regionMatches(true, 0, "jar:", 0, 4)) {
+            return "Nested JAR URLs are not supported";
+        } else {
+            return null;
+        }
+    }
 
     @Override
     @SuppressWarnings("deprecation")
@@ -147,6 +154,12 @@ public class Handler extends java.net.URLStreamHandler {
         }
         spec = spec.substring(start, limit);
 
+        String exceptionMessage = checkNestedProtocol(spec);
+        if (exceptionMessage != null) {
+            // NPE will be transformed into MalformedURLException by the caller
+            throw new NullPointerException(exceptionMessage);
+        }
+
         if (absoluteSpec) {
             file = parseAbsoluteSpec(spec);
         } else if (!refOnly) {