today, we have a number of malicious request to our web server.
assume a web server accept a request with a query
query='fn#foo=fn%20foo%20{echo%20yes};%20echo%20no%0a’
but why should a web server put arbitrary data from a remote user unrestrained into the environment?
even if rc used a restricted parser, as it stands you could still write fn#cd=fn%20cd%20{do_horrible_thing}
and it would stand a good chance of doing the horrible thing if the web server runs a shell script that does a cd.
really, as with Apache, the problem is the uncritical nature of the web server.
it's probably reasonable to have rc use a parser that accepts only functions, but that's for precision, not to fix a security problem elsewhere.