The changes in JDK-8005942 (with follow up changes JDK-8009463 and JDK-8012453) involve parsing the command-line input to determine the command and arguments parts. The parsing includes checking for quoting and other special cases such as CMD and BAT files.

These changes are causing huge pain to developers and customers that have been using Runtime.exec and ProcessBuilder in insecure and sloppy ways. In summary we cannot change the JDK to impose rules around quoting and special cases after 15 years without causing major breakage and compatibility issues for customers and developers.

This bug is submitted to re-visit this topic with a view to only imposing the strict parsing and checking when there is a security manager set. When not running with a security manager then the JDK should just pass the command to Windows as it always did. Clearly there is still potential for breakage when running with a security manager but any usages of Runtime.exec and ProcessBuilder in this context need to be done in a secure manner.

One downside of reverting to long standing behavior that developers will continue to use Runtime.exec in sloppy ways. One possible aid would be to introduce a property that allows developers to strict parsing. If the diagnostic output is good then it would help developers to create the command strings correctly.