I think you're in violent agreement with the comment you responded to in this case (especially judging with what he's written elsewhere on this thread).
He's saying if Apache passes a request to mod_cgi, which spawns "someapp", it is not Apache, but "someapp" that should sanitize the environment before it calls bash.
(and of course if the developer/admin has chosen to write their script to be run by bash, that's their mistake)
He's saying if Apache passes a request to mod_cgi, which spawns "someapp", it is not Apache, but "someapp" that should sanitize the environment before it calls bash.
(and of course if the developer/admin has chosen to write their script to be run by bash, that's their mistake)