CVE-2014-6271 Shellshock — bash function-import parser boundary bug

CVE-2014-6271 Shellshock: GNU Bash <=4.3 imports environment variables that begin with the literal prefix '() {' as exported function definitions during shell startup (variables.c, initialize_shell_variables, lines 352-388). The parser invoked via parse_and_execute() is given the synthesized string <name> <value> with only SEVAL_NONINT|SEVAL_NOHIST and does NOT stop at the function body's closing brace — so any commands appended after the function in the same env-var value are executed unconditionally during shell init. Env vars are routinely populated from untrusted sources (HTTP headers via mod_cgi, DHCP options via dhclient, OpenSSH ForceCommand, sudo wrappers), yielding pre-auth RCE.