The shell quoting logic in this package (and the org.codehaus.plexus.util.cli.shell) package looks fairly dangerous. It appears to be mostly dead code. Client code should be migrated to java.lang.ProcessBuilder.
The different quoting options (single quotes, double quotes) are difficult to get right, and the reference to StringUtils is not particularly helpful because the caller has to provide the correct set of characters to be escaped, which is platform-dependent.
plexus-utils package is widely used (required by 96 packages in Fedora and it is the most often downloaded artifact on Maven Central ), so changing the API or migrating dependant packages to use standard JDK API would be difficult or impossible.
If I remember correctly the shell quoting code is indirectly used by maven-scm and maven-wagon. Migration to ProcessBuilder is impossible (or at least not always possible) because the shell code needs to be executed on remote hosts (eg. over SSH) which is beyond capabilities of ProcessBuilder.
In my opinion the shell quoting and escaping code should be fixed to conform to appropriate standards, like .
Related to upstream bug PLXUTILS-161
I am one of the current maintainers of the plexus code in question.
Plexus-utils is mostly used within maven, which (like all the build systems for java) is not a "safe" execution environment; if someone wants to inject an "rm -rf /*" into your build system there's probably thousands of different attack vectors to achieve this. This applies to all modern java build systems and is not a particular maven problem.
I am mostly trying to establish the actual severity of this issue;
we will gladly accept patches that update the correctness of the quoting algorithms (or if you can explain it to thickheads like me, I'll even fix it myself!). The code we're talking about here is ancient (and none of my doing) and just understanding the problem/consequences is hard enough.
A patch correcting the quoting algorithm (and avoiding its use where possible) has been attached to PLXUTILS-161.
This message is a reminder that Fedora 18 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 18. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '18'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 18's end of life.
Thank you for reporting this issue and we are sorry that we may not be
able to fix it before Fedora 18 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged change the 'version' to a later Fedora
version prior to Fedora 18's end of life.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Fixed in plexus-utils-3.0.16-1
I believe that this bug is fixed in plexus-utils-3.0.16-1,
which is available in Fedora Rawhide, so I am closing this bug now.
The build containing the fix can be found at Koji:
This bug was fixed in the next release of Fedora, and is not planned
to be fixed in the release it was filed against. If you want this bug
to be fixed in updates for Fedora 18, please say so in a comment.
Otherwise you can update to the newer release of Fedora to get the fix.