gnodet commented on code in PR #11609:
URL: https://github.com/apache/maven/pull/11609#discussion_r3284352453
##########
apache-maven/src/assembly/maven/bin/mvn:
##########
@@ -291,7 +291,7 @@ cmd="\"$JAVACMD\" \
# Add remaining arguments with proper quoting
for arg in "$@"; do
- cmd="$cmd \"$arg\""
+ cmd="$cmd '$arg'"
Review Comment:
Arguments containing literal single quotes will break here. For example,
`-Dprop="it's a value"` produces the `cmd` fragment `'it's a value'`, which
`eval` will mispars as three tokens.
The previous approach of passing `'"$@"'` to `eval` was safer because `"$@"`
preserves each argument exactly as received by the shell, with no re-quoting
needed.
If the goal is to prevent `${...}` expansion during `eval`, the safest fix
would be to escape the problematic characters inside double quotes rather than
switching to single quotes:
```suggestion
cmd="$cmd \"$(printf '%s' "$arg" | sed "s/'/'\\\\''/g")\""
```
...though honestly keeping the current `eval exec "$cmd" '"$@"'` approach
and investigating why `${...}` was being expanded there would be the better
path.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
