foo ...
http://www.openwall.com/lists/oss-security/2014/09/24/17
"Note that on Linux systems where /bin/sh is symlinked to /bin/bash,
any popen() / system() calls from within languages such as PHP would
be of concern due to the ability to control HTTP_* in the env.
/mz"
$ ls -la /bin/sh
lrwxrwxrwx 1 root root 4 Mar 1 2012 /bin/sh -> dash
phew ':)