Skirt header cleaning with unprotect
When an URL is unprotected, if user is not authenticated, request header that would be send to protected application are cleaned, to prevent a malicious user to transmit these headers himself.
For example, if LL::NG::Handler is supposed to send a header "Auth-User", this header is not sent by handler (since user is not authenticated), and besides if request already has a header "Auth-User", it is removed, so that application does not believe user is authenticated. But if a malicious user sends a request header "Auth_User" (dash replaced with underscore), it is not removed. And if protected application is a CGI or reads request headers as CGI, it is feinted.
Indeed, apache mod_perl header names are case-insensitive, but -/_ sensitive. Whereas CGI header names are case-insensitive and -/_ insensitive. This is a security issue due to apache mod_perl, I consider.
However, the bug only concerns unprotect (and skip, but it is not a security issue for skip). If handler adds a header "Auth-User", then header "Auth_User" disappears.