(#9400 P1b) configuration: change-tracking: replace eval with nameref

The original code used eval to read an array variable with a dynamic name:

    eval "var_value=\"\${${var_name}[@]}\"" # sorry

eval works, but it executes arbitrary code — if $var_name were ever a
crafted string, it could inject commands.

bash 4.3+ nameref (local -n) creates an alias to the variable named in
$var_name without executing any code:

    local -n _ct_arr_ref="${var_name}"
    var_value="${_ct_arr_ref[*]}"
    unset -n _ct_arr_ref

unset -n removes only the alias (not the referenced array), preventing
"already a nameref" warnings on subsequent loop iterations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: iav

lib/functions/configuration/change-tracking.sh

@@ -18,7 +18,13 @@ function track_config_variables() {
 
 		# if the var is an array...
 		if [[ "${array_values:-"no"}" == "yes" ]]; then
-			eval "var_value=\"\${${var_name}[@]}\"" # sorry
+			# bash nameref (local -n) creates an alias for the variable named in $var_name —
+			# no eval needed, no code-injection risk. Works for arrays and scalars alike.
+			# unset -n removes the alias only (not the referenced array) to avoid
+			# "already a nameref" warnings on the next loop iteration.
+			local -n _ct_arr_ref="${var_name}"
+			var_value="${_ct_arr_ref[*]}"
+			unset -n _ct_arr_ref
 			value_text="${blue_color:-}(${bright_blue_color:-}${var_value}${blue_color:-})"
 		else
 			var_value="${!var_name}"