Obviously, the newly disclosed CVE-2014-6271 is pretty bad. It's been patched now, but I think it's worthwhile to further discuss how exported functions are implemented in bash.
I'm no bash expert: before today I didn't even realize bash functions can be exported. And I certainly wouldn't expect this to work: % fun='() { :;}' bash -c 'declare -pf fun' fun () { : } declare -fx fun So Magic! Because bash interprets a variable in the environment that starts with '() {' as a function, bash cannot import a *variable* whose value matches that pattern, eg % var='() {' bash -c 'declare -p var' bash: var: line 1: syntax error: unexpected end of file bash: error importing function definition for `var' bash: line 0: declare: var: not found This is an undocumented "feature". Since the only way for bash to support exporting / importing function definitions via environment variables is to have some magic token like '() {', the question comes down to whether bash should support exported functions at all. Personally, I have never needed this feature. I would vote for its removal: It's very surprising, creates bugs, and is not very useful. Otherwise, if this feature is going to stay (can anyone enlighten me why it's useful?), please document it explicitly. As it is currently, this is a real pitfall.