JDK-8041339 : JNLP with java-vm-args whose length exceeded 512 chars failed to get loaded with CouldNotLoadArgumentException
  • Type: Bug
  • Status: Resolved
  • Resolution: Fixed
  • Component: deploy
  • Sub-Component: webstart
  • Priority: P3
  • Affected Version: 7u65,8u11
  • Submit Date: 2014-04-21
  • Updated Date: 2014-10-29
  • Resolved Date: 2014-04-29
The Version table provides details related to the release that this issue/RFE will be addressed.

Unresolved : Release in which this issue/RFE will be addressed.
Resolved: Release in which this issue/RFE has been resolved.
Fixed : Release in which this issue/RFE has been fixed. The release containing this fix may be available for download as an Early Access Release or a General Availabitlity Release.

To download the current JDK release, click here.
JDK 7 JDK 8 JDK 9
7u65Resolved 8u11Resolved 9 b15Resolved
Related Reports
Relates :  
Relates :  
Description
Steps to reproduce:
1. Install 8u11-b04 and set security level to medium from JCP
2. Clear cache: javaws -uninstall
3. Launch app that has java-vm-args with length exceeded 512 chars by browser.(Input the url into browser's address area and press Enter. And then select javaws to launch it if necessary): http://kgb.us.oracle.com:8080/JawsSecurity/jnlp/testIllegalArg.jnlp
4.Accept security warning dialog promoted
5.If app failed to get loaded with the following exception, then this bug is reproduced:
CouldNotLoadArgumentException[ Could not load file/URL specified: C:\Users\wenjyang\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\7\10fd2b07-43f341ac]
	at com.sun.javaws.Main.launchApp(Unknown Source)
	at com.sun.javaws.Main.continueInSecureThread(Unknown Source)
	at com.sun.javaws.Main.access$000(Unknown Source)
	at com.sun.javaws.Main$1.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Expected behavior: App should get loaded successfully.
Actual behavior: App gets blocked due to CouldNotLoadArgumentException.

Note: with jre8-b123, app can get loaded successfully.

src:
http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsSecurity/src/HelloWorld.java
http://sqeweb.us.oracle.com/net/sqenfs-1/export1/comp/jsn/users/crystal/DO_NOT_REMOVE_ME/jrebug/JawsSecurity/src/MaliciousCode.java

Comments
request for 14_03: It's regression - and it's safer to reject bad characters earlier. SQE also agree.
2014-04-29

crucible: https://java.se.oracle.com/code/cru/CR-JDK8UCPU-101
2014-04-24

I can reproduce with 8u11. And 8u5 works, so it's regression.
2014-04-22

Affected tests: JawsSecurityScenarios/testIllegalArgExecution_Browser JawsSecurityScenarios/testIllegalArgExecution_jwsAbsolutePath JawsSecurityScenarios/testIllegalArgExecution_jwsRelativePath
2014-04-21