First of all, thank you for all of your hard work on JRuby! It is very much appreciated.

It seems like some of the issues surrounding the current implementation of the chdir option to Kernel#spawn and friends are well-known (#985, #3653, #3655). I am aware that JRuby transitioned from Java's subprocess execution system to MRI's in recent releases, which was the source of some bugs. I am also aware of the concern associated with doing a native chdir in the JVM process.

Instead of just reporting an issue, I thought it would be helpful to add some [pending] tests that illustrate how the current behavior differs from MRI/the expected behavior. The two tests with pend fail in JRuby, while they pass in MRI 2.3.1 with flying colors (after removing pend).

The behavior of these functions when given the chdir option varies from MRI in the following ways:

• JRuby always executes the command through the shell when given the chdir option. This is not appropriate because characters in a shell command have different meaning than those passed directly to exec and friends. For example, a shell expands $var, etc. while those characters retain literal meaning in exec. Kernel#spawn has a specific (albeit unnecessarily complex) contract as to when it will execute a command-line through the shell vs. directly, and chdir in JRuby overrides that.
• JRuby currently surrounds the value of the chdir option with single quotes and inserts it into the command passed to the shell. Without too much effort, it is easy to achieve arbitrary code execution by injecting shell commands into the value of chdir. This is a possible security vulnerability, especially when the value of chdir is taken from user input.

I'm not sure of the best way to address these issues in the implementation. Per @headius's comments here, I think it would be worth giving native chdir a shot just to see what happens. I'd be happy to assist in implementation and testing with all the time I have available.

What do you think? Again, thank you for JRuby!