On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote: > > On 12 Oct 2010, at 15:30, Malte S. Stretz wrote: > >> I had a quick look at the Apache source and the solution was simple: Just >> drop headers which contain any character outside the range [a-zA-Z0-9-]. >> The patch against trunk is attached. > > This made me think of something we had a while ago; and after checking the > logs - big +1 from me!
Agreed, with a caviat... we aught to be able to toggle this for the rare but significant legacy app that requires it... which implies a per-dir flag that can override just one CGI script out of an entire server.