bmarwell commented on code in PR #11489:
URL: https://github.com/apache/maven/pull/11489#discussion_r2569908272
##########
apache-maven/src/assembly/maven/bin/mvn:
##########
@@ -168,23 +168,40 @@ find_file_argument_basedir() {
# concatenates all lines of a file and replaces variables
concat_lines() {
if [ -f "$1" ]; then
- # First convert all CR to LF using tr
- tr '\r' '\n' < "$1" | \
- sed -e '/^$/d' -e 's/#.*$//' | \
- # Replace LF with NUL for xargs
- tr '\n' '\0' | \
- # Split into words and process each argument
- # Use -0 with NUL to avoid special behaviour on quotes
- xargs -n 1 -0 | \
- while read -r arg; do
- # Replace variables first
- arg=$(echo "$arg" | sed \
- -e "s@\${MAVEN_PROJECTBASEDIR}@$MAVEN_PROJECTBASEDIR@g" \
- -e "s@\$MAVEN_PROJECTBASEDIR@$MAVEN_PROJECTBASEDIR@g")
-
- echo "$arg"
- done | \
- tr '\n' ' '
+ result=""
+ # Read the file line by line
+ # Do not use `xargs -0` as this is not POSIX-compliant
+ while IFS= read -r line || [ -n "$line" ]; do
+ # Convert CR to LF
+ line=$(echo "$line" | tr '\r' '\n')
Review Comment:
this can produce embedded newlines that confuse splitting if `\r` is in the
middle of a line. But I think that is problematic anyway.
##########
apache-maven/src/assembly/maven/bin/mvn:
##########
@@ -168,23 +168,40 @@ find_file_argument_basedir() {
# concatenates all lines of a file and replaces variables
concat_lines() {
if [ -f "$1" ]; then
- # First convert all CR to LF using tr
- tr '\r' '\n' < "$1" | \
- sed -e '/^$/d' -e 's/#.*$//' | \
- # Replace LF with NUL for xargs
- tr '\n' '\0' | \
- # Split into words and process each argument
- # Use -0 with NUL to avoid special behaviour on quotes
- xargs -n 1 -0 | \
- while read -r arg; do
- # Replace variables first
- arg=$(echo "$arg" | sed \
- -e "s@\${MAVEN_PROJECTBASEDIR}@$MAVEN_PROJECTBASEDIR@g" \
- -e "s@\$MAVEN_PROJECTBASEDIR@$MAVEN_PROJECTBASEDIR@g")
-
- echo "$arg"
- done | \
- tr '\n' ' '
+ result=""
+ # Read the file line by line
+ # Do not use `xargs -0` as this is not POSIX-compliant
+ while IFS= read -r line || [ -n "$line" ]; do
+ # Convert CR to LF
+ line=$(echo "$line" | tr '\r' '\n')
+ # Remove comments
+ line=$(echo "$line" | sed 's/#.*$//')
+ # Skip empty lines
+ [ -z "$(echo "$line" | tr -d ' \t')" ] && continue
+
+ # Process each argument in the line using eval to handle quotes
+ eval "set -- $line"
Review Comment:
This allows command substitution/globbing -> unsafe and can execute
backticks/$() from .mvn/jvm.config. Is this wanted? Seems dangerous, we might
want to at least document this.
##########
apache-maven/src/assembly/maven/bin/mvn:
##########
@@ -168,23 +168,40 @@ find_file_argument_basedir() {
# concatenates all lines of a file and replaces variables
concat_lines() {
if [ -f "$1" ]; then
- # First convert all CR to LF using tr
- tr '\r' '\n' < "$1" | \
- sed -e '/^$/d' -e 's/#.*$//' | \
- # Replace LF with NUL for xargs
- tr '\n' '\0' | \
- # Split into words and process each argument
- # Use -0 with NUL to avoid special behaviour on quotes
- xargs -n 1 -0 | \
- while read -r arg; do
- # Replace variables first
- arg=$(echo "$arg" | sed \
- -e "s@\${MAVEN_PROJECTBASEDIR}@$MAVEN_PROJECTBASEDIR@g" \
- -e "s@\$MAVEN_PROJECTBASEDIR@$MAVEN_PROJECTBASEDIR@g")
-
- echo "$arg"
- done | \
- tr '\n' ' '
+ result=""
+ # Read the file line by line
+ # Do not use `xargs -0` as this is not POSIX-compliant
+ while IFS= read -r line || [ -n "$line" ]; do
+ # Convert CR to LF
+ line=$(echo "$line" | tr '\r' '\n')
+ # Remove comments
+ line=$(echo "$line" | sed 's/#.*$//')
+ # Skip empty lines
+ [ -z "$(echo "$line" | tr -d ' \t')" ] && continue
+
+ # Process each argument in the line using eval to handle quotes
+ eval "set -- $line"
+ for arg in "$@"; do
+ # Replace variables
+ arg=$(echo "$arg" | sed \
+ -e "s@\${MAVEN_PROJECTBASEDIR}@$MAVEN_PROJECTBASEDIR@g" \
+ -e "s@\$MAVEN_PROJECTBASEDIR@$MAVEN_PROJECTBASEDIR@g")
+
+ # Quote the argument if it contains spaces or special shell characters
+ case "$arg" in
+ *[\ \|\&\;\<\>\(\)\$\`\\\"\'\~\*\?\[\]\#\~\=]*)
Review Comment:
This looks fragile. Does work correctly on backticks and double quotes? If
backticks or double quotes are inside, should we not use `arg="'$arg'" instead?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
