getCodeBase broken locally in 7 update 25

Phillip Thomas Phillip.G.Thomas at Census.GOV
Wed Jun 26 09:40:28 PDT 2013



Sandeep Konchady <sandeep.konchady at ...> writes:

> 
> Hi Mickey,
> The issue you are seeing is intended behavior. This was caused because of
a vulnerability that was fixed in 7u25 in which which a  getCodeBase call
against all local applet/jnlp apps will return null.
> 
> 
> Thanks,
> Sandeep
> 
> 
> On Jun 19, 2013, at 3:18 PM, "Mickey Segal"
<java3 at segal.org> wrote:
> 
> The local getCodeBase problem is not present in Java 8 build 94, the most
recent version. 
>  
> 
> From: Mickey Segal [mailto:java3 <at> segal.org] Sent: Wednesday, June 19,
2013 3:56 PMTo: Java Security
(security-dev at openjdk.java.net)Subject: RE:
getCodeBase broken locally in 7 update 25
> 
>  
> The same getCodeBase problem seems to be occurring on the MacOS version too.
>  
> From: Mickey Segal [mailto:java3 at segal.org]
> I upgraded a Windows 7 computer to Java version 1.7.0_25 from 1.7.0_21.  A
getCodeBase call in a signed applet now returns null.  In previous versions
of Java, getCodeBase returned a URL that referred to the current directory
(tested from Java 1.1 to 1.7.0_21 over the years).
>  
> Was this done purposely for security reasons, or is it just a bug? 
>  
> I will also test on Macintosh and report back on macosx-port-dev if it is
a problem there too.
> 
> 
> 
> 
> 


Howdy,

Is there any more information on this change, such as what security this
actually provides?

Thanks In Advance,
Phillip Thomas



More information about the security-dev mailing list