Open bluekeyes opened 8 years ago
Hmm, I just tested this locally with the master version of the plugin and it worked fine. It seems like this was fixed already or is only a problem with Jenkins Enterprise.
It seems like we are escaping &
with &
for the prebuild script (https://github.com/palantir/gerrit-ci/blob/master/src/main/java/com/palantir/gerrit/gerritci/servlets/JobsServlet.java#L478), but I can't find a place where the escaping happens for other input. I could be missing something, but I think it's likely that a similar escaping is needed for other input fields to avoid this error.
As I just learned from doing a code review of kniktas work on stashbot, apparently we can do: <command>$esc.xml($globalPrebuildCommand)</command> in the velocity template rather than attempting to escape it ourselves. Might be more robust.
(How annoying -- and ironic -- is it that I have to manually escape the less-than and greather-than symbols in my own github comment?)
We discovered yesterday that trying to save a build with an '&' in the publish or verify command will cause a 500 error and not save the change. From the errors, it seems like the command is not properly escaped in the XML files.
The command in question was
export FOO=bar && ./script/publish.sh
, but any command with the '&' character should fail.The Gerrit logs have this error:
The Jenkins Enterprise logs have this error: