CVE-2014-6271: Shellshock - Function definition injection via environment variables

Bash 4.3 allows arbitrary command execution through specially crafted environment variables. When bash initializes, it reads environment variables looking for function definitions (those starting with '() {'). The vulnerable code constructs a shell command by concatenating the variable name with the function definition, but in non-POSIX mode (the default), it fails to validate that the variable name is a legal shell identifier. This allows attackers to inject shell metacharacters (backticks, $(), semicolons, pipes, etc.) in the environment variable name, which are then interpreted by the shell parser, leading to remote code execution.