[
https://issues.apache.org/jira/browse/MNG-6432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16861799#comment-16861799
]
Elias Elmqvist Wulcan commented on MNG-6432:
--------------------------------------------
Have you considered adding a validation step to the parsed ids instead of
automatically trimming whitespace? Even if it is impossible to know which ids
are defined, it should be possible to immediately deny ids with leading or
trailing whitespace as such ids would be hard or impossible to define in an xml
file.
If validation is impossible too, then please add a warning to the
documentation. Using a repository even when developer has tried to block it is
a potential security issue.
> Space in <mirrorOf /> silently disables mirror
> ----------------------------------------------
>
> Key: MNG-6432
> URL: https://issues.apache.org/jira/browse/MNG-6432
> Project: Maven
> Issue Type: Bug
> Components: Settings
> Affects Versions: 3.0.5, 3.3.9, 3.5.2
> Environment: Maven 3.5.2 (Red Hat 3.5.2-5 on Fedora 28).
> and
> Maven 3.0.5 (Red Hat 3.0.5-17 on RHEL 7.5)
> and
> Maven 3.3.9 on RHEL 7.5
> Reporter: Elias Elmqvist Wulcan
> Priority: Minor
> Labels: newbie
> Fix For: wontfix-candidate
>
> Attachments: Possible list of hits.png
>
>
>
> Maven silently ignores mirror configuration when there is a space in
> mirrorOf. This could be a major problem if the developer's mirror
> configuration is critical and this causes her to not notice that the mirror
> is disabled.
> Without space inside mirrorOf, the mirror setting is respected.
> {code:java}
> <settings>
> <mirrors>
> <mirror>
> <id>loopback</id>
> <name>loopback</name>
> <url>http://127.0.0.1</url>
> <mirrorOf>!my-repo,*</mirrorOf>
> </mirror>
> </mirrors>
> </settings>
> {code}
> {noformat}
> [INFO] Scanning for projects...
> [INFO]
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building mirrorOf-test 1
> [INFO]
> ------------------------------------------------------------------------
> Downloading from loopback:
> http://127.0.0.1/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
> {noformat}
>
> With a space after the comma in mirrorOf, the mirror is ignored without
> warning.
> {code:java}
> <settings>
> <mirrors>
> <mirror>
> <id>loopback</id>
> <name>loopback</name>
> <url>http://127.0.0.1</url>
> <mirrorOf>!my-repo, *</mirrorOf>
> </mirror>
> </mirrors>
> </settings>
> {code}
> {noformat}
> [INFO] Scanning for projects...
> [INFO]
> [INFO]
> ------------------------------------------------------------------------
> [INFO] Building mirrorOf-test 1
> [INFO]
> ------------------------------------------------------------------------
> Downloading from central:
> https://repo.maven.apache.org/maven2/org/apache/maven/plugins/maven-clean-plugin/2.5/maven-clean-plugin-2.5.pom
> ...
> {noformat}
>
> The problem is reproducible with minimal pom.xm
> {code:java}
> <project>
> <modelVersion>4.0.0</modelVersion>
> <groupId>com.example</groupId>
> <artifactId>mirrorOf-test</artifactId>
> <version>1</version>
> </project>
> {code}
>
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
