Comment 7 for bug 1276887

So apache 2.4 new feature is explained as:
"Translation of headers to environment variables is more strict than before to mitigate some possible cross-site-scripting attacks via header injection. Headers containing invalid characters (including underscores) are now silently dropped. Environment Variables in Apache has some pointers on how to work around broken legacy clients which require such headers. (This affects all modules which use these environment variables.)"

"attacks via header injection" is explained in http://kuza55.blogspot.com/2007/07/exploiting-reflected-xss.html
afaict e.g. @request.user_agent can be faked with custom User_Agent: header because web-framework doesn't detect collision with the proper User-Agent: header when translating. But it's bad webapp anyway where all input is not sanitized!