[gh-11363] Use temp file to capture Java parser output safely

gnodet · gnodet · commit 1623c1de1426 · 2025-11-03T21:57:36.000+01:00
Using 'for /f' to capture output with pipes causes the pipes to be
interpreted as command separators. Instead, write to a temp file
and read with 'set /p' which doesn't interpret special characters.
diff --git a/apache-maven/src/assembly/maven/bin/mvn.cmd b/apache-maven/src/assembly/maven/bin/mvn.cmd
@@ -185,8 +185,11 @@ rem Compile the parser if not already compiled
 if not exist "%MAVEN_HOME%\bin\JvmConfigParser.class" (
     "%JAVACMD%" -d "%MAVEN_HOME%\bin" "%MAVEN_HOME%\bin\JvmConfigParser.java" >nul 2>&1
 )
-rem Run the parser
-for /f "delims=" %%i in ('"%JAVACMD%" -cp "%MAVEN_HOME%\bin" JvmConfigParser "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" "%MAVEN_PROJECTBASEDIR%" 2^>nul') do set JVM_CONFIG_MAVEN_OPTS=%%i
+rem Run the parser and save output to temp file to avoid pipe interpretation issues
+set "JVM_CONFIG_TEMP=%TEMP%\mvn-jvm-config-%RANDOM%.txt"
+"%JAVACMD%" -cp "%MAVEN_HOME%\bin" JvmConfigParser "%MAVEN_PROJECTBASEDIR%\.mvn\jvm.config" "%MAVEN_PROJECTBASEDIR%" > "%JVM_CONFIG_TEMP%" 2>nul
+set /p JVM_CONFIG_MAVEN_OPTS=<"%JVM_CONFIG_TEMP%"
+del "%JVM_CONFIG_TEMP%" 2>nul
 
 :endReadJvmConfig
 
