It makes sense to be as strict as possible
with headers from the outside world, but I
believe the primary concern is CRLF injection.
Allowing @ to support Apache's mod_unique_id
(see #31644) seems OK to me, but I definitely
want to get confirmation from an expert.
Let's be a little more explicit about this, and add a new test that uses an actual Apache mod_request_id value, and labels it as such. Otherwise @ seems a pretty arbitrary extension to the alphabet needed to cover UUIDs.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.