(#9400 P1b) configuration: change-tracking: replace eval with nameref

The original code used eval to read an array variable with a dynamic name: eval "var_value=\"\${${var_name}[@]}\"" # sorry eval works, but it executes arbitrary code — if $var_name were ever a crafted string, it could inject commands. bash 4.3+ nameref (local -n) creates an alias to the variable named in $var_name without executing any code: local -n _ct_arr_ref="${var_name}" var_value="${_ct_arr_ref[*]}" unset -n _ct_arr_ref unset -n removes only the alias (not the referenced array), preventing "already a nameref" warnings on subsequent loop iterations. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-02 02:55:58 +02:00 · 2026-03-02 02:55:58 +02:00 · a4e2d2c4c7
commit a4e2d2c4c7
parent 02f70dd065
1 changed files with 7 additions and 1 deletions
--- a/lib/functions/configuration/change-tracking.sh
+++ b/lib/functions/configuration/change-tracking.sh
@ -18,7 +18,13 @@ function track_config_variables() {

 		# if the var is an array...
 		if [[ "${array_values:-"no"}" == "yes" ]]; then
-			eval "var_value=\"\${${var_name}[@]}\"" # sorry
+			# bash nameref (local -n) creates an alias for the variable named in $var_name —
+			# no eval needed, no code-injection risk. Works for arrays and scalars alike.
+			# unset -n removes the alias only (not the referenced array) to avoid
+			# "already a nameref" warnings on the next loop iteration.
+			local -n _ct_arr_ref="${var_name}"
+			var_value="${_ct_arr_ref[*]}"
+			unset -n _ct_arr_ref
 			value_text="${blue_color:-}(${bright_blue_color:-}${var_value}${blue_color:-})"
 		else
 			var_value="${!var_name}"