Why this matters
The bug. eval re-runs the bash parser on its argument. The first parse turned $1 into the user's literal text; eval then parses that text *as a script*. Any character that means something to bash — ;, &&, $() — gets honored.
The fix. Drop eval entirely. tar accepts the path as an argument; quoting $name once is all the protection needed because tar (the program, not the shell) treats the bytes as a filename.
Heuristic. eval is almost always wrong in scripts that consume user input. If you find yourself reaching for it, restate the problem: usually you want a function or an array expansion, not a re-parse.
Review heuristic
If a string built from a request flows into a function whose name involves the words shell, system, exec, popen, or eval, treat it as actively dangerous until you can show that no part of the string is attacker-controlled.
External reference: CWE-78: OS Command Injection.
↳ CWE-78: OS Command Injection; the `eval` family.