Draft: restrict allowed variable names.
As inspired by @ben.boeckel's comment on !6474 (merged), this MR implements a new policy (numbered CMP0127) which restricts variable names according to the following rules.
- If the name contains whitespace, a semicolon (
;
), an equals sign (=
), or forms a valid number, it is rejected. - If the name begins with an underscore (
_
) or letter, it is accepted. - Otherwise, the name must contain only alphanumeric characters
plus the following:
_/.+-
(i.e. the characters allowed in literal variable references by :policy:CMP0053
).
It was easy to implement, so I thought I'd open this MR as a venue for discussion. Currently, the existing tests are working (PkgConfig had to be fixed to strip whitespace from its dynamic variable names), but I have not written any new tests (to save time in case this whole idea is rejected outright).
As it happens, this policy would also fix #21747, which concerns bad behavior when creating cache entries with =
in the name.
Edited by Alex Reinking