From 3fc5d517cdf57b06c761f74ffbf6c92afcb56b4e Mon Sep 17 00:00:00 2001
From: Igor Velkov <325961+iav@users.noreply.github.com>
Date: Mon, 2 Mar 2026 02:50:49 +0200
Subject: [PATCH] (#9400 P1b) cli: utils-cli: replace eval with declare -g

eval "declare -g $name=\"$value\"" is equivalent to the safer
declare -g "${name}=${value}" which avoids code injection risk.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 lib/functions/cli/utils-cli.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/functions/cli/utils-cli.sh b/lib/functions/cli/utils-cli.sh
index 78ec6fd367..30d83bf00d 100644
--- a/lib/functions/cli/utils-cli.sh
+++ b/lib/functions/cli/utils-cli.sh
@@ -65,7 +65,7 @@ function apply_cmdline_params_to_env() {
 		if [[ -z "${!param_name+x}" ]] || [[ "${current_env_value}" != "${param_value}" ]]; then
 			display_alert "Applying cmdline param" "'$param_name': '${current_env_value_desc}' --> '${param_value_desc}' ${__my_reason}" "cmdline"
 			# use `declare -g` to make it global, we're in a function.
-			eval "declare -g $param_name=\"$param_value\""
+			declare -g "${param_name}=${param_value}"
 		else
 			# rpardini: strategic amount of spacing in log files show the kinda neuroticism that drives me.
 			display_alert "Skip     cmdline param" "'$param_name': already set to '${param_value_desc}' ${__my_reason}" "info"