My question was why any reasonably designed modern web app would ever have user input anywhere near a shell.
There are two parts to this:
The web server adds various bits of user input to an ENV variable (e.g. user agent)
Bash is vulnerable to malicious functions in any ENV variable on startup
So your reasonably designed modern web app does not need to have user input anywhere near a shell. Your web app just needs to interact with other processes on the machine with a system call (for example sending mail, calling git for a service like github), it doesn't need to actually put user input into a system call (which is an obvious no-no).
There are two parts to this:
The web server adds various bits of user input to an ENV variable (e.g. user agent)
Bash is vulnerable to malicious functions in any ENV variable on startup
So your reasonably designed modern web app does not need to have user input anywhere near a shell. Your web app just needs to interact with other processes on the machine with a system call (for example sending mail, calling git for a service like github), it doesn't need to actually put user input into a system call (which is an obvious no-no).