you misrepresent. rsc addressed the non-web-centric issue:

> I don't think it is super important to try to make rc defend against
malicious environments, any more than
> it is to make it somehow defend against malicious $paths. If those are
security-relevant, you've already lost.

On Fri, Sep 26, 2014 at 9:32 AM, Kurt H Maier <khm@sciops.net> wrote:

> Quoting Russ Cox <rsc@swtch.com>:
>
>  The right fix is to eliminate all possible interaction between (1) and
>> (2).
>> The first public fix focused instead on making (1) more robust, and guess
>> what, it wasn't good enough and now there is a *second* CVE about this
>> problem, and a *second* attempt at making (1) more robust. It is almost
>> certainly too late to change CGI, but bash could be changed to just ignore
>> CGI's variables (HTTP_*), and I hope that's what will eventually happen.
>> I'm not holding my breath: I bet we'll see a cascade of patches trying to
>> make this interaction "safe" instead of removing it.
>>
>>
> This is a heartbreakingly web-centric view of these issues.  The real
> problem is that bash was evaling stuff that had () { in it, and it is
> very, very much not relegated to CGI use.  There are exploits in the
> wild for both DHCP and ssh.
>
> Obviously bash is an awful shell, but munging it for apache is not the
> right answer to anything.
>
> khm
>
>
>
>