CmdShell does not escape asterisk arg value (SCM-763)

[michael-o]

This was found during SCM-763.

Consider your want to pass a password (on Windows) with asterisk: S8p3r*S3cr3t. The escaped outcome is S8p3r*S3cr3t. No change, but to pass an asterisk you need to quote the entire string otherwise the shell will expand the asterisk. Correct value would be: "S8p3r*S3cr3t"

Currently, this is impossible in Plexus Utils.

[belingueres]

@michael-o is this still an issue? I see SCM-763 is fixed now.

[michael-o]

Yes, it is. The entire process execution suffers from one serious flaw that it executes a local shell rather than providing it to the system directory. The shell will do its own replacement which hasn't been espaced by this implementation.

[slachiewicz]

Is it worth keeping the issue open? Any idea how this should be fixed?

[michael-o]

Is it worth keeping the issue open? Any idea how this should be fixed?

Yes, because the shell invocation needs to be dropped altogether.

[slachiewicz]

Should be fixed here or deprecated here CmdShell and fix it properly on SCM?

[michael-o]

Should be fixed here or deprecated here CmdShell and fix it properly on SCM?

Completely here replace all shell impls with ProcessBuilder