(#9400 P1b) configuration: change-tracking: replace eval with nameref

The original code used eval to read an array variable with a dynamic name: eval "var_value=\"\${${var_name}[@]}\"" # sorry eval works, but it executes arbitrary code — if $var_name were ever a crafted string, it could inject commands. bash 4.3+ nameref (local -n) creates an alias to the variable named in $var_name without executing any code: local -n _ct_arr_ref="${var_name}" var_value="${_ct_arr_ref[*]}" unset -n _ct_arr_ref unset -n removes only the alias (not the referenced array), preventing "already a nameref" warnings on subsequent loop iterations. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
(#9400 P1b) configuration: interactive: replace eval with declare -g
2026-03-02 02:55:58 +02:00 · 2026-03-02 02:51:26 +02:00 · 2026-03-02 02:50:49 +02:00
3 changed files with 10 additions and 4 deletions
--- a/lib/functions/cli/utils-cli.sh
+++ b/lib/functions/cli/utils-cli.sh
@ -65,7 +65,7 @@ function apply_cmdline_params_to_env() {
 		if [[ -z "${!param_name+x}" ]] || [[ "${current_env_value}" != "${param_value}" ]]; then
 			display_alert "Applying cmdline param" "'$param_name': '${current_env_value_desc}' --> '${param_value_desc}' ${__my_reason}" "cmdline"
 			# use `declare -g` to make it global, we're in a function.
-			eval "declare -g $param_name=\"$param_value\""
+			declare -g "${param_name}=${param_value}"
 		else
 			# rpardini: strategic amount of spacing in log files show the kinda neuroticism that drives me.
 			display_alert "Skip     cmdline param" "'$param_name': already set to '${param_value_desc}' ${__my_reason}" "info"
--- a/lib/functions/configuration/change-tracking.sh
+++ b/lib/functions/configuration/change-tracking.sh
@ -18,7 +18,13 @@ function track_config_variables() {

 		# if the var is an array...
 		if [[ "${array_values:-"no"}" == "yes" ]]; then
-			eval "var_value=\"\${${var_name}[@]}\"" # sorry
+			# bash nameref (local -n) creates an alias for the variable named in $var_name —
+			# no eval needed, no code-injection risk. Works for arrays and scalars alike.
+			# unset -n removes the alias only (not the referenced array) to avoid
+			# "already a nameref" warnings on the next loop iteration.
+			local -n _ct_arr_ref="${var_name}"
+			var_value="${_ct_arr_ref[*]}"
+			unset -n _ct_arr_ref
 			value_text="${blue_color:-}(${bright_blue_color:-}${var_value}${blue_color:-})"
 		else
 			var_value="${!var_name}"
--- a/lib/functions/configuration/interactive.sh
+++ b/lib/functions/configuration/interactive.sh
@ -30,8 +30,8 @@ function interactive_config_prepare_terminal() {
 # $1: variable name
 # $2: variable value
 function set_interactive_config_value() {
-	eval "$1"='$2'
-	eval "ARMBIAN_INTERACTIVE_CONFIGS[${1}]"='$2'
+	declare -g "${1}=${2}"
+	ARMBIAN_INTERACTIVE_CONFIGS["${1}"]="${2}"
 }

 function interactive_finish() {