loadConfigFile() does not properly evaluate properties with characters subject to shell expansion #7289
Description
steps
Using sbt 1.9.0 installed via Coursier
Tested on MacOS 13.2.1 using zsh 5.8.1 and bash 5.2.15 :
$ echo "-Dhttp.nonProxyHosts=this.property|contains.pipes|and.other.elements|subject.to.shell.expansion" > .jvmopts
$ sbt -d sbtVersion
.Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt: line 703: subject.to.shell.expansion: command not found
.Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt: line 703: and.other.elements: command not found
./Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt: line 703: contains.pipes: command not found
[addSbt] arg = '-debug'
[residual] arg = 'sbtVersion'
[residual] arg = 'sbtVersion'
[sbt_options] declare -a sbt_options='()'
[process_args] java_version = '20'
[addMemory] arg = '1024'
[addJava] arg = '-Xms1024m'
[addJava] arg = '-Xmx1024m'
[addJava] arg = '-Xss4M'
[addJava] arg = '-XX:ReservedCodeCacheSize=128m'
[addJava] arg = '-Dsbt.script=./Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt'
[copyRt] java9_rt = '.sbt/1.0/java9-rt-ext-homebrew_20/rt.jar'
[addJava] arg = '-Dscala.ext.dirs=.sbt/1.0/java9-rt-ext-homebrew_20'
# Executing command line:
java
-Dfile.encoding=UTF-8
-Xms1024m
-Xmx1024m
-Xss4M
-XX:ReservedCodeCacheSize=128m
-Dsbt.script=./Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt
-Dscala.ext.dirs=.sbt/1.0/java9-rt-ext-homebrew_20
-jar
./Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt-launch.jar
-debug
sbtVersionproblem
Some Java properties, such as http.nonProxyHosts, use the pipe character to separate items in a list (see https://docs.oracle.com/javase/8/docs/technotes/guides/net/proxies.html ). When loadConfigFiles() calls eval on such a property, the pipe characters are interpreted by the shell as commands, which results in error messages and the property not being included when invoking Java.
expectation
sbt should properly handle lines in config files that contain characters subject to shell expansion (|, *, etc.)
notes
If the offending characters are single-quoted, the property is interpreted correctly:
$ echo "-Dhttp.nonProxyHosts=this.property'|'contains.pipes'|'and.other.elements'|'subject.to.shell.expansion" > .jvmopts
$ [addSbt] arg = '-debug'
[residual] arg = 'sbtVersion'
[residual] arg = 'sbtVersion'
[sbt_options] declare -a sbt_options='()'
[process_args] java_version = '20'
[addMemory] arg = '1024'
[addJava] arg = '-Xms1024m'
[addJava] arg = '-Xmx1024m'
[addJava] arg = '-Xss4M'
[addJava] arg = '-XX:ReservedCodeCacheSize=128m'
addJava] arg = '-Dsbt.script=./Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt'
[copyRt] java9_rt = '.sbt/1.0/java9-rt-ext-homebrew_20/rt.jar'
[addJava] arg = '-Dscala.ext.dirs=.sbt/1.0/java9-rt-ext-homebrew_20'
# Executing command line:
java
-Dhttp.nonProxyHosts=this.property|contains.pipes|and.other.elements|subject.to.shell.expansion
-Xms1024m
-Xmx1024m
-Xss4M
-XX:ReservedCodeCacheSize=128m
-Dsbt.script=./Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt
-Dscala.ext.dirs=.sbt/1.0/java9-rt-ext-homebrew_20
-jar
./Coursier/arc/https/github.com/sbt/sbt/releases/download/v1.9.0/sbt-1.9.0.zip/sbt/bin/sbt-launch.jar
-debug
sbtVersion