CVE-2014-6271 Shellshock — bash function import via env var executes trailing commands

Bash 4.3 and earlier import shell functions from environment variables at startup. In variables.c::initialize_shell_variables, any env var whose value begins with the literal () { is treated as an exported function. The code reconstructs <name> <body> and passes it to parse_and_execute(), the general shell parser. The parser does not stop at the closing } of the function body — it continues parsing and EXECUTES any commands that follow. Because attackers control env vars in many contexts (CGI via HTTP headers, DHCP, OpenSSH ForceCommand, mail filters), any process that exec()s bash with attacker-influenced environment runs arbitrary commands at startup as the bash UID, before user commands or privilege drops. 1. Followed the call-chain hint main -> shell_initialize -> initialize_shell_variables -> parse_and_execute. 2. grep -n initialize_shell_variables variables.c → defined at line 319. 3. Read variables.c:319-429. The function-import branch is at lines 352-388: condition STREQN("() {", string, 4), then xmalloc + strcpy build temp_string = " ", then parse_and_execute(temp_string, name, SEVAL_NONINT|SEVAL_NOHIST) at line 362. 4. Spot-checked builtins/evalstring.c::parse_and_execute (line 190) — it is the generic shell command parser/executor, no flag restricts it to a single function definition. 5. Conclusion: any trailing tokens after the } are parsed as additional commands and executed during shell init. Classic PoC: env x='() { :;}; echo PWN' bash -c : prints PWN.