United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
Bug ID: JDK-8016046 (process) Strict validation of input should be security manager case only [win]
JDK-8016046 : (process) Strict validation of input should be security manager case only [win]

Details
Type:
Bug
Submit Date:
2013-06-06
Status:
Closed
Updated Date:
2013-09-10
Project Name:
JDK
Resolved Date:
2013-06-18
Component:
core-libs
OS:
Sub-Component:
java.lang
CPU:
Priority:
P2
Resolution:
Fixed
Affected Versions:
7u21,7u25,8
Fixed Versions:

Related Reports
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Duplicate:
Relates:

Sub Tasks

Description
The changes in JDK-8005942 (with follow up changes JDK-8009463 and JDK-8012453) involve parsing the command-line input to determine the command and arguments parts. The parsing includes checking for quoting and other special cases such as CMD and BAT files.

These changes are causing huge pain to developers and customers that have been using Runtime.exec and ProcessBuilder in insecure and sloppy ways. In summary we cannot change the JDK to impose rules around quoting and special cases after 15 years without causing major breakage and compatibility issues for customers and developers.

This bug is submitted to re-visit this topic with a view to only imposing the strict parsing and checking when there is a security manager set. When not running with a security manager then the JDK should just pass the command to Windows as it always did. Clearly there is still potential for breakage when running with a security manager but any usages of Runtime.exec and ProcessBuilder in this context need to be done in a secure manner.

One downside of reverting to long standing behavior that developers will continue to use Runtime.exec in sloppy ways. One possible aid would be to introduce a property that allows developers to strict parsing. If the diagnostic output is good then it would help developers to create the command strings correctly.


                                    

Comments
URL:   http://hg.openjdk.java.net/jdk8/tl/jdk/rev/956b00d7d4ea
User:  uta
Date:  2013-06-18 13:31:05 +0000

                                     
2013-06-18
I will approve this - provided that 1) there's SQE-OK and 2) the release team reviews and doesn't have any concerns. Please get SQE to review and mark with SQE-OK if they agree to this fix 
                                     
2013-06-20
SQE is OK with this fix
                                     
2013-06-20
URL:   http://hg.openjdk.java.net/jdk8/jdk8/jdk/rev/956b00d7d4ea
User:  lana
Date:  2013-06-24 22:17:17 +0000

                                     
2013-06-24
Verified with jdk8/b97 with provided regression test.
                                     
2013-07-05



Hardware and Software, Engineered to Work Together