Re: Too much ado about almost nothing...
Now you have two, but you get the benefit of an explanation. This is NOT a problem with the exposure method, be it CGI or whatever. It's a problem with Bash not properly parsing vars. Trying the "it's not supposed to be used for" defense is just about as good as Job's "you're holding it wrong" stunt... A spade is a spade and a vulnerability a vulnerability.
And your comment only proves that Open Source has long moved from a "philosophy" to a religion, shock full of dogmas and unwilling/unable to face (even substantiated) criticism. and like a "good" religion, you obviously must be "right" thus can do no wrong. And along comes the usual "it's not important/relevant/substantial" excuses zealots, especially the devs, are so fond of.
Grow up, a turd is a turd, and if you call it an OpenTurd it still won't smell like roses :)