United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-8016513 : Webstart throws StringIndexOutOfBoundsException using property and Java-VM-args

Details
Type:
Bug
Submit Date:
2013-06-13
Status:
Closed
Updated Date:
2014-02-12
Project Name:
JDK
Resolved Date:
2013-06-26
Component:
deploy
OS:
linux
Sub-Component:
webstart
CPU:
Priority:
P3
Resolution:
Fixed
Affected Versions:
7,8
Fixed Versions:

Related Reports
Backport:
Backport:
Duplicate:

Sub Tasks

Description
javaws fails to initialize and throw StringIndexOutOfBoundsException
when using in resources tag a valid java-vm-args option with character "=",
together with a valid property

$HOME/Library/Application\
Support/Oracle/Java/Deployment/log/javaws.....trace

java.lang.StringIndexOutOfBoundsException: String index out of range: -5
at java.lang.String.substring(String.java:1911)
at com.sun.deploy.util.Property.<init>(Unknown Source)
at com.sun.deploy.util.Property.createProperty(Unknown Source)
at com.sun.deploy.util.JVMParameters$ArgumentSet.addArgument(Unknown Source)
at com.sun.deploy.util.JVMParameters.addArgumentImpl(Unknown Source)
at com.sun.deploy.util.JVMParameters.parseImpl(Unknown Source)
at com.sun.deploy.util.JVMParameters.parseTrustedOptions(Unknown Source)
at com.sun.javaws.Main.initializeExecutionEnvironment(Unknown Source)
at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
at com.sun.javaws.Main.access$000(Unknown Source)
at com.sun.javaws.Main$1.run(Unknown Source)
at java.lang.Thread.run(Thread.java:722)

Steps to reproduce:
1. Start dynamictree-webstart_lab_prop.jnlp using javaws

Actual result:
The application does not start. The corrsponding javaws trace file contains StringIndexOutOfBoundsException (see above)

Expected result:
The application should start successfully.
                                    

Comments
regression_test_src:
http://sqe-hg.us.oracle.com/hg/index.cgi/testbase/javase/functional/8/deployment2/file/b490f0ed51af/new_framework/tests/javaws/vmargs/src/vmargsTest.java (vmargsTest::testsignedNewSize)
                                     
2013-11-21
Verified with jre8-b111 on Mac 10.8.4
                                     
2013-11-21
On Jul 2, 2013, at 3:29 PM, Penni Henry wrote:

> Thanks - Jeannette - let me know if you give your OK now. We already have SQE-OK - so we're just waiting for your approval.
>
> - Penni

Per Jeannette:  - yes, thanks!
                                     
2013-07-03
The fix does not cause any new vulnerabilities. It just validates the input string, if it is required. 
I tested the changes on MacOS, Linux and Windows, the fix looks OK. Removing nmi label.
                                     
2013-07-02
Chris Ries from VT reviewed and approved:

Hi Thomas,

I looked into this and the change doesn't appear to introduce any security issues.  The security-related checks (arguments/properties that are not allowed, characters that lead to command-line injection issues, etc.) are performed outside of StringQuoteUtil and after it has broken up the command-line, so this change does not appear to affect them at all (even if the command-line got broken up differently as a result of this change, the checks performed afterwards should catch any problems that result).

Thanks,
Chris 
                                     
2013-07-02
Per Jeannette:  I've asked Drew Gross to take a quick look.   I will wait for the results from Jeannette/Drew before I mark this approved.

                                     
2013-07-02
Issue is only applicable to MacOS and Linux . Due to this bug, there is no way to use valid/secure jvm args with "=" sign in JNLP file.  Webstart will not launch and die silently with StringIndexOutOfBounds exception e.g  Something like this in JNLP will not work: 

      java-vm-args="-XX:MinHeapFreeRatio=20 -XX:MaxHeapFreeRatio=35"

SQE-OK to take this fix for 7u40
                                     
2013-07-01
I'm adding nmi label - please remove this once you address Jeannette's comments and at that point - this request will show up in the queue.
                                     
2013-07-01
Please address/confirm Jeannette's comments before I approve this bug.
                                     
2013-07-01
On some OS such as Linux, Mac OS X the method StringQuoteUtil.parseCommandLine() receives quoted string containing multiple JVM parameter. This causes an incorrect parsing and as a result the application fail to start with StringIndexOutOfBoundsException.
Fix: StringQuoteUtil.parseCommandLine() should unquote an input string, if any.
                                     
2013-06-20



Hardware and Software, Engineered to Work Together