Looking at
http://code.metager.de/source/xref/isc-dhcp-debian/client/dh...It seems that server_name from DHCP response is passed to environment variable without sanitising.
3437 if (check_option_values(NULL, DHO_HOST_NAME,
3438 lease->server_name,
3439 strlen(lease->server_name)) == 0 ) {
3440 client_envadd (client, prefix, "server_name",
3441 "%s", lease->server_name);
And script that is run after that (dhclient-script) is written in bash at least on Debian.
