getCodeBase broken locally in 7 update 25

Sandeep Konchady sandeep.konchady at oracle.com
Wed Jun 19 16:39:40 PDT 2013


Hi Mickey,

The issue you are seeing is intended behavior. This was caused because of a vulnerability that was fixed in 7u25 in which which a  getCodeBase call against all local applet/jnlp apps will return null.

Thanks,
Sandeep

On Jun 19, 2013, at 3:18 PM, "Mickey Segal" <java3 at segal.org> wrote:

> The local getCodeBase problem is not present in Java 8 build 94, the most recent version. 
>  
> From: Mickey Segal [mailto:java3 at segal.org] 
> Sent: Wednesday, June 19, 2013 3:56 PM
> To: Java Security (security-dev at openjdk.java.net)
> Subject: RE: getCodeBase broken locally in 7 update 25
>  
> The same getCodeBase problem seems to be occurring on the MacOS version too.
>  
> From: Mickey Segal [mailto:java3 at segal.org]
> 
> I upgraded a Windows 7 computer to Java version 1.7.0_25 from 1.7.0_21.  A getCodeBase call in a signed applet now returns null.  In previous versions of Java, getCodeBase returned a URL that referred to the current directory (tested from Java 1.1 to 1.7.0_21 over the years).
>  
> Was this done purposely for security reasons, or is it just a bug? 
>  
> I will also test on Macintosh and report back on macosx-port-dev if it is a problem there too.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.openjdk.java.net/pipermail/security-dev/attachments/20130619/54163fab/attachment.html 


More information about the security-dev mailing list