CVE-2014-6271 Shellshock: bash parses past function boundary in env var imports

Bash 4.3 and earlier execute attacker-controlled commands during shell startup if any environment variable value begins with the magic prefix '() {'. In variables.c:initialize_shell_variables, bash treats such values as exported function definitions and constructs a string name <value> which it feeds to parse_and_execute() with flags SEVAL_NONINT|SEVAL_NOHIST. The bug: parse_and_execute's main loop while (*(bash_input.location.string)) does not stop at the closing '}' of the function body — it keeps parsing and executing until the whole input is consumed. So an attacker who controls any env var can append arbitrary commands after the function definition and have them run at shell startup. Trivially exploitable in CGI (HTTP headers → env), DHCP, sshd ForceCommand, sudo env_keep, etc.

Reachable via: main → shell_initialize → initialize_shell_variables → parse_and_execute. Hit on every bash invocation that inherits any environment variable beginning with '() {'. 1. Recognized the call chain (main → shell_initialize → initialize_shell_variables → parse_and_execute) as the canonical Shellshock path. 2. grep -n 'initialize_shell_variables' variables.c → line 319. 3. Read variables.c:315-435 — found the function-import block at lines 350-388. The trigger is STREQN("() {", string, 4) at line 352; xmalloc'd temp_string is built as name<space><value> and passed to parse_and_execute on line 362. 4. Confirmed parse_and_execute's loop in builtins/evalstring.c:190-230 — while (*(bash_input.location.string)) keeps consuming the remainder of the string with no awareness of function-definition boundaries. 5. PoC: env x='() { :;}; echo VULNERABLE' bash -c "echo test" prints VULNERABLE first.