bug: harden header/environment values for roundup-server and cgi If the environment (cgi) or header variables (server) have values with characters outside of the printable ascii range (chr(32-126)), return HTTP 400 error. This is overly strict but nothing that Roundup looks at requires a larger range. When deploying with wsgi and Zope, server software should verify proper values. This fix was riggered by the waitress wsgi server bug: https://github.com/Pylons/waitress/security/advisories/GHSA-m5ff-3wj3-8ph4 which was caused by incorrect validation of header values resulting in a the proxy and waitress having different interpretations of what the header meant. My testing of the roundup.cgi script is to use a cgi->wsgi wrapper and run it under wsgi (using waitress). I need to try it under a real server that can run cgi. It looks like python http.server --cgi is missing definitions of HTTP_HOST and other required CGI variables. That's probably why the --cgi option was removed, but it leaves me without a good way to test. Maybe https://github.com/mdklatt/pytest-cgi could be used to test that front end? Arguably CGI is old, but cheap hosting still allows it.

--- a/roundup/cgi/client.py	Mon Apr 06 22:10:23 2026 -0400
+++ b/roundup/cgi/client.py	Wed Apr 08 00:35:34 2026 -0400
@@ -132,6 +132,12 @@
     import random
     random.seed()
 
+_safe_char_set = {chr(x) for x in range(32,127)}
+def are_header_values_safe(header_list):
+    for header, value in header_list.items():
+        if (set(value) - _safe_char_set):
+            return header, value
+    return None
 
 class LiberalCookie(SimpleCookie):
     """ Python's SimpleCookie throws an exception if the cookie uses invalid