(maven) 01/02: Fix mvn script expanding ${...} in CLI arguments

Tue, 19 May 2026 03:05:22 -0700 

This is an automated email from the ASF dual-hosted git repository.

gnodet pushed a commit to branch backport-11983-to-4.0.x
in repository https://gitbox.apache.org/repos/asf/maven.git

commit b41303b2b16e117349bd0a6db3639cf1ec45f5b5
Author: Gerd Aschemann <[email protected]>
AuthorDate: Fri Apr 24 09:08:46 2026 +0200

    Fix mvn script expanding ${...} in CLI arguments
    
    The eval in the mvn script causes shell expansion of ${...} patterns
    in user-provided arguments. Pass user arguments directly via "$@"
    instead of concatenating them into the eval string. This preserves
    MAVEN_OPTS word splitting while preventing unintended shell expansion.
    
    Fixes #11978
    
    Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]>
---
 apache-maven/src/assembly/maven/bin/mvn | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/apache-maven/src/assembly/maven/bin/mvn 
b/apache-maven/src/assembly/maven/bin/mvn
index 1a8e6a2fdc..914f61a42b 100755
--- a/apache-maven/src/assembly/maven/bin/mvn
+++ b/apache-maven/src/assembly/maven/bin/mvn
@@ -275,7 +275,7 @@ handle_args() {
 handle_args "$@"
 MAVEN_MAIN_CLASS=${MAVEN_MAIN_CLASS:=org.apache.maven.cling.MavenCling}
 
-# Build command string for eval
+# Build base command string for eval (only contains Maven-controlled values)
 cmd="\"$JAVACMD\" \
   $MAVEN_OPTS \
   $MAVEN_DEBUG_OPTS \
@@ -289,14 +289,12 @@ cmd="\"$JAVACMD\" \
   $LAUNCHER_CLASS \
   $MAVEN_ARGS"
 
-# Add remaining arguments with proper quoting
-for arg in "$@"; do
-    cmd="$cmd \"$arg\""
-done
-
 if [ -n "$MAVEN_DEBUG_SCRIPT" ]; then
   echo "[DEBUG] Launching JVM with command:" >&2
-  echo "[DEBUG]   $cmd" >&2
+  echo "[DEBUG]   $cmd" "$@" >&2
 fi
 
-eval exec "$cmd"
+# User arguments ("$@") are passed directly to preserve literal values
+# like ${...} Maven property placeholders without shell expansion.
+# Only the base command uses eval for MAVEN_OPTS word splitting.
+eval exec "$cmd" '"$@"'

Reply via email to