ascheman opened a new pull request, #11983:
URL: https://github.com/apache/maven/pull/11983
## Summary
The `eval` in the `mvn` script causes shell expansion of `${...}` patterns
in user-provided CLI arguments, breaking any argument that contains Maven
property placeholders like `${surefire.threadNumber}` or
`${project.basedir}`.
## Problem
The current script concatenates user arguments into a command string and
then uses `eval exec` which re-parses the string and triggers shell variable
expansion:
```sh
for arg in "$@"; do
cmd="$cmd \"$arg\""
done
eval exec "$cmd"
```
Maven 3's `mvn` script uses `exec ... "$@"` which passes arguments verbatim.
## Fix
Pass user arguments directly via `"$@"` instead of concatenating them into
the eval string. Only the base command (containing `$MAVEN_OPTS` etc.) uses
`eval` for word splitting:
```sh
eval exec "$cmd" '"$@"'
```
## Verification
Tested locally with Maven 4.0.0-rc-5:
- `${...}` in `-D` arguments: no longer causes `bad substitution`
- `MAVEN_OPTS` with spaces: still works (word splitting via `eval`)
- Arguments with spaces: still works (`"$@"` preserves quoting)
- 20 maven-surefire integration tests that previously failed with
`bad substitution` now run successfully
Fixes #11978
Related: apache/maven-surefire#3345
Note: The same fix applies to the `maven-4.0.x` branch where the `mvn`
script is identical.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
