{"expand":"renderedFields,names,schema,transitions,operations,editmeta,changelog","id":"148945","self":"http://jira.codehaus.org/rest/api/latest/issue/148945","key":"PLXUTILS-161","fields":{"progress":{"progress":0,"total":0},"summary":"Commandline class shell injection vulnerabilities","timetracking":{},"issuetype":{"self":"http://jira.codehaus.org/rest/api/2/issuetype/1","id":"1","description":"A problem which impairs or prevents the functions of the product.","iconUrl":"http://jira.codehaus.org/images/icons/issuetypes/bug.png","name":"Bug","subtask":false},"customfield_10110":{"self":"http://jira.codehaus.org/rest/api/2/customFieldOption/10040","value":"yes","id":"10040"},"votes":{"self":"http://jira.codehaus.org/rest/api/2/issue/PLXUTILS-161/votes","votes":1,"hasVoted":false},"resolution":{"self":"http://jira.codehaus.org/rest/api/2/resolution/1","id":"1","description":"A fix for this issue is checked into the tree and tested.","name":"Fixed"},"fixVersions":[{"self":"http://jira.codehaus.org/rest/api/2/version/19579","id":"19579","name":"3.0.16","archived":false,"released":true,"releaseDate":"2013-12-21"}],"resolutiondate":"2013-10-23T12:56:05.086-0500","customfield_10210":"1.0","timespent":null,"reporter":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"aggregatetimeoriginalestimate":null,"customfield_10161":["charles@dyfis.net(charles@dyfis.net)","gdomjan(gdomjan)","krosenvold(krosenvold)","mizdebsk(mizdebsk)"],"customfield_10160":null,"updated":"2014-01-27T13:47:22.700-0600","created":"2013-09-26T15:36:11.492-0500","description":"The Commandline class in plexus-utils does not correctly quote the contents of double-quoted strings.\r\n\r\nFrankly, it makes more sense to stop using a shell altogether than to try to improve the shell code-generation logic. A patch to do the same is provided.","priority":{"self":"http://jira.codehaus.org/rest/api/2/priority/3","iconUrl":"http://jira.codehaus.org/images/icons/priorities/major.png","name":"Major","id":"3"},"duedate":null,"issuelinks":[],"customfield_10163":"30412800","watches":{"self":"http://jira.codehaus.org/rest/api/2/issue/PLXUTILS-161/watchers","watchCount":4,"isWatching":false},"worklog":{"startAt":0,"maxResults":20,"total":0,"worklogs":[]},"subtasks":[],"status":{"self":"http://jira.codehaus.org/rest/api/2/status/6","description":"The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.","iconUrl":"http://jira.codehaus.org/images/icons/statuses/closed.png","name":"Closed","id":"6"},"customfield_10090":null,"labels":[],"workratio":-1,"assignee":{"self":"http://jira.codehaus.org/rest/api/2/user?username=krosenvold","name":"krosenvold","emailAddress":"krosenvold@apache.org","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&ownerId=krosenvold&avatarId=11127","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&ownerId=krosenvold&avatarId=11127","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&ownerId=krosenvold&avatarId=11127","48x48":"http://jira.codehaus.org/secure/useravatar?ownerId=krosenvold&avatarId=11127"},"displayName":"Kristian Rosenvold","active":true},"attachment":[{"self":"http://jira.codehaus.org/rest/api/2/attachment/64134","id":"64134","filename":"use-no-shell-r2.patch","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2013-09-27T14:51:14.194-0500","size":21555,"mimeType":"text/x-patch","content":"http://jira.codehaus.org/secure/attachment/64134/use-no-shell-r2.patch"}],"customfield_10221":null,"customfield_10220":null,"customfield_10200":null,"aggregatetimeestimate":null,"customfield_10190":null,"project":{"self":"http://jira.codehaus.org/rest/api/2/project/11432","id":"11432","key":"PLXUTILS","name":"Plexus Utils","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/projectavatar?size=xsmall&pid=11432&avatarId=10011","24x24":"http://jira.codehaus.org/secure/projectavatar?size=small&pid=11432&avatarId=10011","32x32":"http://jira.codehaus.org/secure/projectavatar?size=medium&pid=11432&avatarId=10011","48x48":"http://jira.codehaus.org/secure/projectavatar?pid=11432&avatarId=10011"},"projectCategory":{"self":"http://jira.codehaus.org/rest/api/2/projectCategory/10003","id":"10003","description":"various containers","name":"containers"}},"versions":[{"self":"http://jira.codehaus.org/rest/api/2/version/19535","id":"19535","name":"3.0.15","archived":false,"released":true,"releaseDate":"2013-08-19"}],"customfield_10170":[{"self":"http://jira.codehaus.org/rest/api/2/customFieldOption/10070","value":"Yes","id":"10070"}],"environment":null,"timeestimate":null,"customfield_10130":null,"aggregateprogress":{"progress":0,"total":0},"lastViewed":null,"components":[],"comment":{"startAt":0,"maxResults":19,"total":19,"comments":[{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/333392","id":"333392","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=mizdebsk","name":"mizdebsk","emailAddress":"mizdebsk@redhat.com","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Mikolaj Izdebski","active":true},"body":"Related to a bug in Red Hat bugzilla:\r\nhttps://bugzilla.redhat.com/show_bug.cgi?id=958733","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=mizdebsk","name":"mizdebsk","emailAddress":"mizdebsk@redhat.com","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Mikolaj Izdebski","active":true},"created":"2013-09-27T12:45:04.116-0500","updated":"2013-09-27T12:45:04.116-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/333393","id":"333393","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"Discussion in the Red Hat bugzilla indicates that shell-generation code is explicitly and intentionally used for remote invocations over SSH, and that the given patch bypassing the problem is thus insufficient.\r\n\r\nI do hold that this patch is necessary, but no longer, given this discussion, that it is sufficient.\r\n\r\nI wrote a secure implementation of shell quoting for Rundeck a while back under the Apache 2.0 license -- it's available at https://github.com/charles-dyfis-net/rundeck/commit/093c9d21666d4d56318646924840fa4a7c0e6377. It may be appropriate to adopt that here.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2013-09-27T13:26:58.306-0500","updated":"2013-09-27T13:26:58.306-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/333395","id":"333395","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"Updated version still avoids shell use for local execution -- but also correctly quotes contents for remote execution, using an extremely conservative (and thus safe) mechanism.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2013-09-27T14:51:14.204-0500","updated":"2013-09-27T14:51:14.204-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/333576","id":"333576","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"A few comments on why it's safer to use single-quotes everywhere --\r\n\r\nWhile all modern operating systems provide a /bin/sh which complies with POSIX rules, shells are welcome to add new syntax above and beyond what POSIX mandates, and few are rigorously tested to ensure that all of this is completely disabled when invoked as /bin/sh (as is traditionally done for POSIX compatibility mode). bash, zsh and kin add substantial new expansion syntax beyond both POSIX and bash.\r\n\r\nWhile double-quotes allow internal expansions (which can, by nature, include additional expansions added by the local shell above and beyond those mandated by POSIX), single-quotes do not; one cannot have any form of expansion within single-quotes while remaining a POSIX-compatible shell.\r\n\r\nThus, transforming foo to 'foo' is the Right Thing to use in an environment where one trusts that the available shell will be a superset of POSIX, but does not trust it to implement only behavior mandated by POSIX sh proper.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2013-10-03T13:14:41.915-0500","updated":"2013-10-03T13:14:41.915-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/333975","id":"333975","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=krosenvold","name":"krosenvold","emailAddress":"krosenvold@apache.org","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&ownerId=krosenvold&avatarId=11127","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&ownerId=krosenvold&avatarId=11127","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&ownerId=krosenvold&avatarId=11127","48x48":"http://jira.codehaus.org/secure/useravatar?ownerId=krosenvold&avatarId=11127"},"displayName":"Kristian Rosenvold","active":true},"body":"I have reviewed this patch and it looks good to me. I will claim mostly ignorance shell escaping issues, and I just need convincing/explanation of this one thing before I apply the patch:\r\n\r\nHow can we be sure that we're not loosing side effects of the shell startup if we move from wrapping the process in a shell an just using runtime exec directly. Feel free to tell me that I am an idiot to not understand the all the escaping business is about avoiding exactly that. I just need this with a very small spoon....","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=krosenvold","name":"krosenvold","emailAddress":"krosenvold@apache.org","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&ownerId=krosenvold&avatarId=11127","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&ownerId=krosenvold&avatarId=11127","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&ownerId=krosenvold&avatarId=11127","48x48":"http://jira.codehaus.org/secure/useravatar?ownerId=krosenvold&avatarId=11127"},"displayName":"Kristian Rosenvold","active":true},"created":"2013-10-11T03:06:04.832-0500","updated":"2013-10-11T03:06:04.832-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/334499","id":"334499","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"Apologies about the lag -- wedding and honeymoon intervened.\r\n\r\nAnd yes -- the purpose of the escaping is to prevent side effects from the shell, which using Runtime.exec will similarly (but more efficiently) accomplish.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2013-10-21T15:10:29.816-0500","updated":"2013-10-21T15:10:29.816-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/334500","id":"334500","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"...well. To be _entirely_ clear, there are other potential side effects from the invocation of a non-interactive, non-login shell, but a lot of them are things that fall under the aegis of \"bugs\", when they're noticed / noticable at all.\r\n\r\nFor instance, environment variables not complying with POSIX standards for allowed shell variable names will be filtered from the environment by some shells, but not others; using Runtime.exec() will suppress this effect, passing the current (or desired) environment through verbatim.\r\n\r\nFor another, having a shell in place can cause signal delivery to be disrupted -- signals intended for the command being run can be eaten by the shell, preventing the command from receiving them. (Suppressing this properly when using sh -c '...' would require sh -c 'exec ...' to be used instead, which would provide behavior closer to Runtime.exec()'s).\r\n\r\nIf ENV or shell-specific analogs such as BASH_ENV are set in the environment, they may specify a file whose commands are sourced by the new shell prior to execution of the desired command. (This is an XSI extension to POSIX, and not guaranteed to be honored on all POSIX systems, so relying on this behavior is generally an undesirable practice).","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2013-10-21T15:22:04.143-0500","updated":"2013-10-21T15:22:04.143-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/334578","id":"334578","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=krosenvold","name":"krosenvold","emailAddress":"krosenvold@apache.org","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&ownerId=krosenvold&avatarId=11127","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&ownerId=krosenvold&avatarId=11127","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&ownerId=krosenvold&avatarId=11127","48x48":"http://jira.codehaus.org/secure/useravatar?ownerId=krosenvold&avatarId=11127"},"displayName":"Kristian Rosenvold","active":true},"body":"Applied in b38a1b3a4352303e4312b2bb601a0d7ec6e28f41\r\n\r\nNow for the interesting part;\r\n\r\nThis code is actually forked in various versions, and this is not the \"original\". We have a duplicate under maven-shared-utils http://jira.codehaus.org/browse/MSHARED/component/15606\r\n\r\nIdeally I would like you to reapply thia patch there too; since we are migrating from this version to the maven-shared-utils version (the packages are different, but I suppose most of the actual diff is identical). Alternately you can just submit the existing diff as a patch to a MSHARED issue, and I'll see if I can apply it. But we need a clear record of submission to MSHARED, I can't just move your patch.\r\n\r\n","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=krosenvold","name":"krosenvold","emailAddress":"krosenvold@apache.org","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&ownerId=krosenvold&avatarId=11127","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&ownerId=krosenvold&avatarId=11127","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&ownerId=krosenvold&avatarId=11127","48x48":"http://jira.codehaus.org/secure/useravatar?ownerId=krosenvold&avatarId=11127"},"displayName":"Kristian Rosenvold","active":true},"created":"2013-10-23T12:56:05.183-0500","updated":"2013-10-23T12:56:05.183-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/334579","id":"334579","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=krosenvold","name":"krosenvold","emailAddress":"krosenvold@apache.org","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&ownerId=krosenvold&avatarId=11127","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&ownerId=krosenvold&avatarId=11127","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&ownerId=krosenvold&avatarId=11127","48x48":"http://jira.codehaus.org/secure/useravatar?ownerId=krosenvold&avatarId=11127"},"displayName":"Kristian Rosenvold","active":true},"body":"And yeah, thanks for the patch!","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=krosenvold","name":"krosenvold","emailAddress":"krosenvold@apache.org","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&ownerId=krosenvold&avatarId=11127","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&ownerId=krosenvold&avatarId=11127","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&ownerId=krosenvold&avatarId=11127","48x48":"http://jira.codehaus.org/secure/useravatar?ownerId=krosenvold&avatarId=11127"},"displayName":"Kristian Rosenvold","active":true},"created":"2013-10-23T13:09:39.063-0500","updated":"2013-10-23T13:09:39.063-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/334589","id":"334589","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"Hmm. maven-utils has the addition of translateCommandline(), which doesn't exactly match POSIX shell behavior, but I don't think that any of its divergences are exploitable.\r\n\r\nIts BourneShell implementation, on the other hand, looks to be an exact match for the one where this issue applied.\r\n\r\nNot sure when I'll have a chance to port this patch over -- a bit swamped right now. I'll submit an MSHARED issue immediately, and do the port if it's still incomplete at such time as opportunity permits.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2013-10-23T15:44:19.464-0500","updated":"2013-10-23T15:44:19.464-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/334591","id":"334591","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"Created MSHARED-297","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2013-10-23T15:50:07.127-0500","updated":"2013-10-23T15:50:07.127-0500"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/339948","id":"339948","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=gdomjan","name":"gdomjan","emailAddress":"gorf4673@gmail.com","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Greg Domjan","active":true},"body":"3.0.16 appears to have cause regression, command line args are no longer quoted properly.\r\nWorking with versions [1.5.1,3.0.15] - one example original issue was fixed with PLXUTILS-64 originally identified to me through MSHARED-21 ","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=gdomjan","name":"gdomjan","emailAddress":"gorf4673@gmail.com","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Greg Domjan","active":true},"created":"2014-01-23T16:31:14.867-0600","updated":"2014-01-23T16:31:14.867-0600"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/339949","id":"339949","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"Greg, could you construct a test case demonstrating any of these new failure modes? (Otherwise, I'd have to dig into exactly how the tools in question are invoking this code).","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2014-01-23T17:17:07.637-0600","updated":"2014-01-23T17:17:07.637-0600"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/339954","id":"339954","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=gdomjan","name":"gdomjan","emailAddress":"gorf4673@gmail.com","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Greg Domjan","active":true},"body":"Are you after a plexus unit test case, or something using plexus showing an integration test case?\r\nMy current usage is in https://github.com/GregDomjan/wix-maven-plugin  various modules use it, however the example I have from PLXUTILS-164 comes from\r\nhttps://github.com/GregDomjan/wix-maven-plugin/blob/master/src/main/java/net/sf/wix/AbstractLinker.java","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=gdomjan","name":"gdomjan","emailAddress":"gorf4673@gmail.com","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Greg Domjan","active":true},"created":"2014-01-23T19:39:38.479-0600","updated":"2014-01-23T19:39:38.479-0600"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/339955","id":"339955","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"Thanks -- the AbstractLinker use case is exactly what I was looking for.\r\n\r\nThere's some... interesting behavior in there, inasmuch as it appears to be trying to handle a Commandline class that it *assumes* will misbehave, and I'm going to need to dig in a bit to analyze what's going on.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2014-01-23T19:43:34.796-0600","updated":"2014-01-23T19:43:34.796-0600"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/340219","id":"340219","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"An update --\r\n\r\nI've confirmed that Commandline.exec() is using a local shell in this case. This is contrary to intent -- the code is intended to call Runtime.exec(String[], String[], File) with the list of user-provided commands, with no shell quoting whatsoever applied, in the case in question.\r\n\r\nThe new test suite cases validate that shell quoting is correct when it's performed. What we have here, though, is a case wherein shell quoting isn't being performed at all -- which would be safe and correct if Runtime.exec were being used to invoke the user's argument list without a shell; however, it's happening even when a shell is in use.\r\n\r\nI'm travelling for the next 8 days, and so can't promise as to when continued analysis will have an opportunity to take place.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2014-01-26T18:26:05.706-0600","updated":"2014-01-26T18:26:49.934-0600"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/340236","id":"340236","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"Trying to determine how I reproduced this behaviour last night -- CNR using the following code:\r\n\r\n{code}\r\n(import '[org.codehaus.plexus.util.cli Commandline])\r\n(doto (Commandline.)\r\n    (.addArguments (into-array String [\"printf\" \"%s\\n\" \"hel'lo$cruel\" \"wor'ld\"]))\r\n    (.setWorkingDirectory \"/tmp\")\r\n    (.execute))\r\n{code}\r\n\r\n...using strace on this command line shows that it's being passed to execve correctly -- no /bin/sh involved.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2014-01-27T07:05:14.909-0600","updated":"2014-01-27T07:05:14.909-0600"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/340262","id":"340262","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=gdomjan","name":"gdomjan","emailAddress":"gorf4673@gmail.com","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Greg Domjan","active":true},"body":"Thanks for feedback Charles.  If I'm understanding correctly so far\r\n* the CommandLine/Execution  class should handle an argument containing spaces and also ending with backslash '\\'.  \r\n* as such there should have been no need for escaping the backslash in the argument list as that should be done by the CommandLine or execution class based on actually using cmd executor Vs calling execv (or simliar?) api directly.\r\n* wix-maven-plugin should not try and escape the final \\\r\n\r\nFrom the perspective of the wix-maven-plugin\r\nRemoving the escape and using 3.0.16 results in successful execution.\r\nRemoving the escape using 3.0.15 fails.\r\nSo it appears to be my issue that you fixed it and my workaround now breaks  -  should it be able to end with an arbitrary number of \\ ?\r\n\r\nIn both cases getLog().info(cl.toString()); generates log info like \r\n[INFO] cmd.exe /X /C \"light.exe -out ... -b \"c:\\test repo\\\\\" ... \"\r\n\r\nis 'cmd.exe' an indication of using the command shell rather than execv or is this just a toString representation?\r\n\r\nAs I'm not familiar with the execution path, wondering if the simplification has taken out the cause\r\nWould it have anything to do with how the org.codehaus.plexus.util.cli.CommandLineUtils  class calls or configures the Commandline or the Process ? \r\n?Perhaps the example test would better show escaping using  -  \"hel\\\"lo$cruel wor'ld\\\\\"\r\n","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=gdomjan","name":"gdomjan","emailAddress":"gorf4673@gmail.com","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Greg Domjan","active":true},"created":"2014-01-27T12:20:53.808-0600","updated":"2014-01-27T12:20:53.808-0600"},{"self":"http://jira.codehaus.org/rest/api/2/issue/148945/comment/340266","id":"340266","author":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"body":"It should be possible to end with an arbitrary number of backslashes, and they should be passed to the target process literally.\r\n\r\nThe .toString() call is definitely generating things which aren't legal/valid, and which also don't correctly represent the actual mechanism used for invocation. I'm going to attempt to look into this as time permits.","updateAuthor":{"self":"http://jira.codehaus.org/rest/api/2/user?username=charles%40dyfis.net","name":"charles@dyfis.net","emailAddress":"charles@dyfis.net","avatarUrls":{"16x16":"http://jira.codehaus.org/secure/useravatar?size=xsmall&avatarId=10232","24x24":"http://jira.codehaus.org/secure/useravatar?size=small&avatarId=10232","32x32":"http://jira.codehaus.org/secure/useravatar?size=medium&avatarId=10232","48x48":"http://jira.codehaus.org/secure/useravatar?avatarId=10232"},"displayName":"Charles Duffy","active":true},"created":"2014-01-27T13:47:22.700-0600","updated":"2014-01-27T13:47:22.700-0600"}]},"timeoriginalestimate":null,"aggregatetimespent":null}}