and it appears as if it would probably run anything you put between ; and # (in this case it will echo hi). Unless the filename is sanitized, which it appears to not be.