Is the behavior behind the Shellshock vulnerability in Bash documented or at all intentional?

Question

A recent vulnerability, CVE-2014-6271, in how Bash interprets environment variables was disclosed. The exploit relies on Bash parsing some environment variable declarations

Answer 1

The following:

x='() { echo I do nothing; }; echo vulnerable' bash -c 'typeset -f'

prints

vulnerable
x () 
{ 
    echo I do nothing
}
declare -fx x

seems, than Bash, after having parsed the x=..., discovered it as a function, exported it, saw the declare -fx x and allowed the execution of the command after the declaration.

echo vulnerable

x='() { x; }; echo vulnerable' bash -c 'typeset -f'

prints:

vulnerable
x () 
{ 
    echo I do nothing
}

and running the x

x='() { x; }; echo Vulnerable' bash -c 'x'

prints

Vulnerable
Segmentation fault: 11

segfaults - infinite recursive calls

It doesn't overrides already defined function

$ x() { echo Something; }
$ declare -fx x
$ x='() { x; }; echo Vulnerable' bash -c 'typeset -f'

prints:

x () 
{ 
    echo Something
}
declare -fx x

e.g. the x remains the previously (correctly) defined function.

For the Bash 4.3.25(1)-release the vulnerability is closed, so

x='() { echo I do nothing; }; echo Vulnerable' bash -c ':'

prints

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'

but - what is strange (at least for me)

x='() { x; };' bash -c 'typeset -f'

STILL PRINTS

x () 
{ 
    x
}
declare -fx x

and the

x='() { x; };' bash -c 'x'

segmentation faults too, so it STILL accept the strange function definition...