SECURITY (CVE-2011-3368): Prevent unintended pattern expansion in some reverse proxy configurations by strictly validating the request-URI:
* server/protocol.c (read_request_line): Send a 400 response if the request-URI does not match the grammar from RFC 2616. This ensures the input string for RewriteRule et al really is an absolute path.
SECURITY: CVE-2010-0434 (cve.mitre.org) Ensure each subrequest has a shallow copy of headers_in so that the parent request headers are not corrupted. Elimiates a problematic optimization in the case of no request body.