On Tuesday 12 October 2010 18:13:46 William A. Rowe Jr. wrote: > On 10/12/2010 10:06 AM, Dirk-Willem van Gulik wrote: > > On 12 Oct 2010, at 15:30, Malte S. Stretz wrote: > >> I had a quick look at the Apache source and the solution was simple: > >> Just drop headers which contain any character outside the range > >> [a-zA-Z0-9-]. The patch against trunk is attached. > > > > This made me think of something we had a while ago; and after > > checking the logs - big +1 from me! > > Agreed, with a caviat... we aught to be able to toggle this for the > rare but significant legacy app that requires it... which implies a > per-dir flag that can override just one CGI script out of an entire > server.
I think an option is not needed as there is a workaround. Eg. to make an Accept_Encoding header work: SetEnvIfNoCase ^Accept.Encoding$ ^(.*)$ fix_header=$1 RequestHeader set Accept-Encoding %{fix_header}e env=fix_header (I had to use a regexp in SetEnvIf since for some reason comparing to an invalid header doesn't work.) Cheers, Malte