Comment My explanation (Score 1) 399
This is bad. The reason is lots of things that use bash put unchecked data into environment variables.
As an example, imagine some cgi wants to test is a string is valid, and somebody wrote a clever bash script that does this check, and reads the string by looking in $INPUT. The cgi takes whatever the user typed on their web form, does setenv("INPUT", text) and then runs the bash script, which uses "$INPUT" at places it wants the text.
No matter how carefully written the bash script is, if the user can type "() {
It seems hard to believe such a bug is possible. It appears that when setting an environment variable, if it is a function, it runs some code that splits the text at semicolons, puts the first section in the environment variable, then runs the rest as shell input! But I can't figure out any reason such code exists. I thought at first it was pasting "export " on the start of the environment line and executing that using the interpreter, but tests show that does not work because it splits at the spaces. And if you add quoting to fix that then it also fixes the semicolon. And it obviously examined the environment variable to see if is a function, because semicolons in non-function ones are handled correctly. So I think bash code might be quite a mess for such a bug to be possible without much more obvious bugs happening...