bug: harden header/environment values for roundup-server and cgi If the environment (cgi) or header variables (server) have values with characters outside of the printable ascii range (chr(32-126)), return HTTP 400 error. This is overly strict but nothing that Roundup looks at requires a larger range. When deploying with wsgi and Zope, server software should verify proper values. This fix was riggered by the waitress wsgi server bug: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 which was caused by incorrect validation of header values resulting in a the proxy and waitress having different interpretations of what the header meant. My testing of the roundup.cgi script is to use a cgi->wsgi wrapper and run it under wsgi (using waitress). I need to try it under a real server that can run cgi. It looks like python http.server --cgi is missing definitions of HTTP_HOST and other required CGI variables. That's probably why the --cgi option was removed, but it leaves me without a good way to test. Maybe https://github.com/mdklatt/pytest-cgi could be used to test that front end? Arguably CGI is old, but cheap hosting still allows it.

--- a/CHANGES.txt	Mon Apr 06 22:10:23 2026 -0400
+++ b/CHANGES.txt	Wed Apr 08 00:35:34 2026 -0400
@@ -69,7 +69,14 @@
   supports some mime types, ads default mime type for files without a
   mime type (e.g. message contents). Cleaner code. (John Rouillard)
 - run hexora and mitigate/fix some medium sev and above. (John Rouillard)
-
+- Return 400 if environment or header variables 
+  have values with characters outside of the printable ascii range
+  (32-127). Applies to  roundup-server and roundup-cgi. wsgi and Zope
+  depend on the hosting server for sanitizing. Se waitress wsgi server
+  bug:
+  https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4
+  (John Rouillard)
+  
 Features:
 
 - add support for authorized changes. User can be prompted to enter