Ok, I'm convinced by your explanation.

> In message <405313549.20170421175726@inbox.ru>, Anthony writes:
>>Nevertheless,  John, are you sure that adding pass_headers option is a
>>really good idea?
>>
>>Do the passing all http headers like others programs do and
>>which is conformed to http/cgi standard is a bad thing?

> Well we had https://httpoxy.org/ and there is an open ticket for this:

>     http://issues.roundup-tracker.org/issue2550925

> so I would say yes there can be exploits. I also hope that no program
> in the future will use HTTP_* as an environment variable but....

> Also didn't the shellshock bash bug depend on creating a specially
> crafted environment variable?

>>In this topic I see only one cons: "programming for safety
>>usually means to only let variables (or values if this applies)
>>pass through that are on a whitelist".

> Yup, that's where pass_headers came from. It's the whitelist.

> Have a great weekend.
> --
>                                 -- rouilj
> John Rouillard
> ===========================================================================
> My employers don't acknowledge my existence much less my opinions.

> ________________________________________________
> Roundup tracker <issues@roundup-tracker.org>
> <http://issues.roundup-tracker.org/issue2550837>
> ________________________________________________