The takeaway: something isn't a security bug just because you can get a program to misbehave based on user input. It has to lead to a privilege escalation, letting the user do something they couldn't otherwise do (e.g. if the input might come from an untrusted source that couldn't directly just do the thing itself).