REMOTE_USER and REMOTE-USER collision in wsgiserver/__init__.py
Clients can overwrite 'REMOTE_USER' header variable value with an arbitrary 'Remote-User' value by specifying the later after the former.
This has tricky implications when a proxy server is being used, namely that if the proxy passes a re-written REMOTE_USER but also the user-supplied 'Remote-User', CherryPy will actually store HTTP_REMOTE_USER as the value of the user-supplied 'Remote-User' header based on the order that the headers are processed.
492 k, v = k.strip().upper(), v.strip() 493 envname = "HTTP_" + k.replace("-", "_")
Reported by firstname.lastname@example.org