getCodeBase broken locally in 7 update 25

Sandeep Konchady sandeep.konchady at
Wed Jun 19 16:39:40 PDT 2013

Hi Mickey,

The issue you are seeing is intended behavior. This was caused because of a vulnerability that was fixed in 7u25 in which which a  getCodeBase call against all local applet/jnlp apps will return null.


On Jun 19, 2013, at 3:18 PM, "Mickey Segal" <java3 at> wrote:

> The local getCodeBase problem is not present in Java 8 build 94, the most recent version. 
> From: Mickey Segal [mailto:java3 at] 
> Sent: Wednesday, June 19, 2013 3:56 PM
> To: Java Security (security-dev at
> Subject: RE: getCodeBase broken locally in 7 update 25
> The same getCodeBase problem seems to be occurring on the MacOS version too.
> From: Mickey Segal [mailto:java3 at]
> I upgraded a Windows 7 computer to Java version 1.7.0_25 from 1.7.0_21.  A getCodeBase call in a signed applet now returns null.  In previous versions of Java, getCodeBase returned a URL that referred to the current directory (tested from Java 1.1 to 1.7.0_21 over the years).
> Was this done purposely for security reasons, or is it just a bug? 
> I will also test on Macintosh and report back on macosx-port-dev if it is a problem there too.

-------------- next part --------------
An HTML attachment was scrubbed...

More information about the security-dev mailing list