CVE-2014-6271: Shellshock Command Injection in Bash Function Import

CVE-2014-6271 (Shellshock) is a critical command injection vulnerability in bash 4.3 and earlier. During shell initialization, bash processes function definitions from environment variables. The vulnerability exists in the initialize_shell_variables() function in variables.c, which checks if an environment variable value starts with "() {" (bash function syntax). If detected, it concatenates the variable name and value into a single string and passes it to parse_and_execute(). The critical flaw: parse_and_execute() does not validate that the string contains ONLY a function definition. Instead, it continues parsing and executing any shell commands after the function definition's closing brace. This allows arbitrary command execution simply by setting an environment variable like TEST='() { echo hi; } ; touch /tmp/pwned'. When bash initializes, it will execute both the function definition AND the injected command, completely bypassing shell protections since execution occurs during startup before normal security checks are in place.