From 16e2b7edd13cea3697ca96bcdd8c31d635f4a71b Mon Sep 17 00:00:00 2001
From: baranowb <baranowb@gmail.com>
Date: Thu, 30 Oct 2025 08:23:35 +0100
Subject: [PATCH] [UNDERTOW-2625] Guard against bad characters in
 isValid*Character

---
 .../src/main/java/io/undertow/server/Connectors.java | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/io/undertow/server/Connectors.java b/core/src/main/java/io/undertow/server/Connectors.java
index 9939ce2097..4dcddb9ea2 100644
--- a/core/src/main/java/io/undertow/server/Connectors.java
+++ b/core/src/main/java/io/undertow/server/Connectors.java
@@ -664,11 +664,19 @@ public static void verifyToken(HttpString header) {
      * Returns true if the token character is valid according to rfc7230
      */
     public static boolean isValidTokenCharacter(byte c) {
-        return ALLOWED_TOKEN_CHARACTERS[c];
+        if (c < 0 || c > ALLOWED_TOKEN_CHARACTERS.length - 1) {
+            return false;
+        } else {
+            return ALLOWED_TOKEN_CHARACTERS[c];
+        }
     }
 
     public static boolean isValidSchemeCharacter(byte c) {
-        return ALLOWED_SCHEME_CHARACTERS[c];
+        if (c < 0 || c > ALLOWED_SCHEME_CHARACTERS.length - 1) {
+            return false;
+        } else {
+            return ALLOWED_SCHEME_CHARACTERS[c];
+        }
     }