getCodeBase broken locally in 7 update 25
Graham Smith
g.h.smith at leeds.ac.uk
Wed Sep 4 12:56:52 UTC 2013
Sandeep Konchady <sandeep.konchady at ...> writes:
>
> Hi Mickey,
> The issue you are seeing is intended behavior. This was caused because of
a vulnerability that was fixed in 7u25 in which which a getCodeBase call
against all local applet/jnlp apps will return null.
>
>
> Thanks,
> Sandeep
>
>
> On Jun 19, 2013, at 3:18 PM, "Mickey Segal"
<java3 at segal.org> wrote:
>
> The local getCodeBase problem is not present in Java 8 build 94, the most
recent version.
>
>
> From: Mickey Segal [mailto:java3 <at> segal.org] Sent: Wednesday, June 19,
2013 3:56 PMTo: Java Security
(security-dev at openjdk.java.net)Subject: RE:
getCodeBase broken locally in 7 update 25
>
>
> The same getCodeBase problem seems to be occurring on the MacOS version too.
>
> From: Mickey Segal [mailto:java3 at segal.org]
> I upgraded a Windows 7 computer to Java version 1.7.0_25 from 1.7.0_21. A
getCodeBase call in a signed applet now returns null. In previous versions
of Java, getCodeBase returned a URL that referred to the current directory
(tested from Java 1.1 to 1.7.0_21 over the years).
>
> Was this done purposely for security reasons, or is it just a bug?
>
> I will also test on Macintosh and report back on macosx-port-dev if it is
a problem there too.
>
>
>
>
>
Hi Mickey:
You wrote
" The local getCodeBase problem is not present in Java 8 build 94, the most
recent version. "
Does this mean that Oracle have relented, or will the problem re-appear later?
Regards
Graham
More information about the security-dev
mailing list