United StatesChange Country, Oracle Worldwide Web Sites Communities I am a... I want to...
JDK-8041339 : JNLP with java-vm-args whose length exceeded 512 chars failed to get loaded with CouldNotLoadArgumentException

Details
Type:
Bug
Submit Date:
2014-04-21
Status:
Resolved
Updated Date:
2014-10-29
Project Name:
JDK
Resolved Date:
2014-04-29
Component:
deploy
OS:
Sub-Component:
webstart
CPU:
Priority:
P3
Resolution:
Fixed
Affected Versions:
7u65,8u11
Fixed Versions:

Related Reports
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Backport:
Relates:
Relates:

Sub Tasks

Description
Steps to reproduce:
1. Install 8u11-b04 and set security level to medium from JCP
2. Clear cache: javaws -uninstall
3. Launch app that has java-vm-args with length exceeded 512 chars by browser.(Input the url into browser's address area and press Enter. And then select javaws to launch it if necessary): http://kgb.us.oracle.com:8080/JawsSecurity/jnlp/testIllegalArg.jnlp
4.Accept security warning dialog promoted
5.If app failed to get loaded with the following exception, then this bug is reproduced:
CouldNotLoadArgumentException[ Could not load file/URL specified: C:\Users\wenjyang\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\10fd2b07-43f341ac]
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Expected behavior: App should get loaded successfully.
Actual behavior: App gets blocked due to CouldNotLoadArgumentException.

Note: with jre8-b123, app can get loaded successfully.

src:
http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsSecurity/src/HelloWorld.java
http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsSecurity/src/MaliciousCode.java

                                    

Comments
request for 14_03:

 It's regression - and it's safer to reject bad characters earlier.   SQE also agree. 
                                     
2014-04-29
crucible: https://java.se.oracle.com/code/cru/CR-JDK8UCPU-101
                                     
2014-04-24
I can reproduce with 8u11.  And 8u5 works, so it's regression.
                                     
2014-04-22
Affected tests:
JawsSecurityScenarios/testIllegalArgExecution_Browser
JawsSecurityScenarios/testIllegalArgExecution_jwsAbsolutePath
JawsSecurityScenarios/testIllegalArgExecution_jwsRelativePath 
                                     
2014-04-21



Hardware and Software, Engineered to Work Together