From a4e2d2c4c739343e1419435f48e30d8c70320c3b Mon Sep 17 00:00:00 2001 From: Igor Velkov <325961+iav@users.noreply.github.com> Date: Mon, 2 Mar 2026 02:55:58 +0200 Subject: [PATCH] (#9400 P1b) configuration: change-tracking: replace eval with nameref MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The original code used eval to read an array variable with a dynamic name: eval "var_value=\"\${${var_name}[@]}\"" # sorry eval works, but it executes arbitrary code — if $var_name were ever a crafted string, it could inject commands. bash 4.3+ nameref (local -n) creates an alias to the variable named in $var_name without executing any code: local -n _ct_arr_ref="${var_name}" var_value="${_ct_arr_ref[*]}" unset -n _ct_arr_ref unset -n removes only the alias (not the referenced array), preventing "already a nameref" warnings on subsequent loop iterations. Co-Authored-By: Claude Sonnet 4.6 --- lib/functions/configuration/change-tracking.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/lib/functions/configuration/change-tracking.sh b/lib/functions/configuration/change-tracking.sh index 00f4994fa5..c5ed714c92 100644 --- a/lib/functions/configuration/change-tracking.sh +++ b/lib/functions/configuration/change-tracking.sh @@ -18,7 +18,13 @@ function track_config_variables() { # if the var is an array... if [[ "${array_values:-"no"}" == "yes" ]]; then - eval "var_value=\"\${${var_name}[@]}\"" # sorry + # bash nameref (local -n) creates an alias for the variable named in $var_name — + # no eval needed, no code-injection risk. Works for arrays and scalars alike. + # unset -n removes the alias only (not the referenced array) to avoid + # "already a nameref" warnings on the next loop iteration. + local -n _ct_arr_ref="${var_name}" + var_value="${_ct_arr_ref[*]}" + unset -n _ct_arr_ref value_text="${blue_color:-}(${bright_blue_color:-}${var_value}${blue_color:-})" else var_value="${!var_name}"