Restrict allowed variable names.
As inspired by @ben.boeckel's comment on !6474 (merged), I wanted to spark discussion on restricting pathological variable names.
The following rules seem like a decent first cut:
- If the name contains whitespace, a semicolon (
;
), an equals sign (=
), or forms a valid number, it is rejected. - If the name begins with an underscore (
_
) or letter, it is accepted. - Otherwise, the name must contain only alphanumeric characters
plus the following:
_/.+-
(i.e. the characters allowed in literal variable references by :policy:CMP0053
).
Since this is easy to implement, I wrote a sketch in !6479 (closed) that we can discuss. Currently, the existing tests are working (PkgConfig had to be fixed to strip whitespace from its dynamic variable names), but I have not written any new tests (to save time in case this whole idea is rejected outright).
As it happens, this policy would also fix #21747, which concerns bad behavior when creating cache entries with =
in the name.
Also, I'm sorry for not following procedure re: draft MRs (c.f. !6479 (closed)); I'm still new here. Thanks for your patience.