--- conf/web.xml.orig	2016-08-23 14:41:14.488986580 -0400
+++ conf/web.xml	2016-08-23 14:41:14.497986572 -0400
@@ -346,6 +346,15 @@
   <!--   executable           Name of the executable used to run the        -->
   <!--                        script. [perl]                                -->
   <!--                                                                      -->
+  <!--   envHttpHeaders       A regular expression used to select the HTTP  -->
+  <!--                        headers passed to the CGI process as          -->
+  <!--                        environment variables. Note that headers are  -->
+  <!--                        converted to upper case before matching and   -->
+  <!--                        that the entire header name must match the    -->
+  <!--                        pattern.                                      -->
+  <!--                        [ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|  -->
+  <!--                         IF-[-0-9A-Z]*|REFERER|USER-AGENT]            -->
+  <!--                                                                      -->
   <!--   parameterEncoding    Name of parameter encoding to be used with    -->
   <!--                        CGI servlet.                                  -->
   <!--                        [System.getProperty("file.encoding","UTF-8")] -->
@@ -369,7 +378,7 @@
           <param-name>cgiPathPrefix</param-name>
           <param-value>WEB-INF/cgi</param-value>
         </init-param>
-         <load-on-startup>5</load-on-startup>
+        <load-on-startup>5</load-on-startup>
     </servlet>
 -->
 
--- java/org/apache/catalina/servlets/CGIServlet.java.orig	2016-08-23 14:41:14.489986579 -0400
+++ java/org/apache/catalina/servlets/CGIServlet.java	2016-08-23 14:42:41.287905267 -0400
@@ -36,6 +36,7 @@
 import java.util.Locale;
 import java.util.StringTokenizer;
 import java.util.Vector;
+import java.util.regex.Pattern;
 
 import javax.servlet.RequestDispatcher;
 import javax.servlet.ServletConfig;
@@ -276,6 +277,16 @@
      */
     private long stderrTimeout = 2000;
 
+    /**
+     * The regular expression used to select HTTP headers to be passed to the
+     * CGI process as environment variables. The name of the environment
+     * variable will be the name of the HTTP header converter to upper case,
+     * prefixed with <code>HTTP_</code> and with all <code>-</code> characters
+     * converted to <code>_</code>.
+     */
+    private Pattern envHttpHeadersPattern = Pattern.compile(
+            "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
+
     /** object used to ensure multiple threads don't try to expand same file */
     static Object expandFileLock = new Object();
 
@@ -339,6 +350,10 @@
                     "stderrTimeout"));
         }
 
+        if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
+            envHttpHeadersPattern =
+                    Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
+        }
     }
 
 
@@ -1106,12 +1121,8 @@
                 //REMIND: rewrite multiple headers as if received as single
                 //REMIND: change character set
                 //REMIND: I forgot what the previous REMIND means
-                if ("AUTHORIZATION".equalsIgnoreCase(header) ||
-                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
-                    //NOOP per CGI specification section 11.2
-                } else {
-                    envp.put("HTTP_" + header.replace('-', '_'),
-                             req.getHeader(header));
+                if (envHttpHeadersPattern.matcher(header).matches()) {
+                    envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header));
                 }
             }
 
--- webapps/docs/cgi-howto.xml.orig	2016-08-23 14:41:14.490986578 -0400
+++ webapps/docs/cgi-howto.xml	2016-08-23 14:41:14.494986575 -0400
@@ -111,6 +111,12 @@
 <li><strong>executable-arg-1</strong>, <strong>executable-arg-2</strong>,
 and so on - additional arguments for the executable. These precede the
 CGI script name. By default there are no additional arguments.</li>
+<li><strong>envHttpHeaders</strong> - A regular expression used to select the
+HTTP headers passed to the CGI process as environment variables. Note that
+headers are converted to upper case before matching and that the entire header
+name must match the pattern. Default is
+<code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code>
+</li>
 <li><strong>parameterEncoding</strong> - Name of the parameter encoding
 to be used with the CGI servlet. Default is
 <code>System.getProperty("file.encoding","UTF-8")</code>. That is the system
--- webapps/docs/changelog.xml.orig	2016-08-23 14:41:14.491986578 -0400
+++ webapps/docs/changelog.xml	2016-08-23 14:42:04.119940086 -0400
@@ -57,6 +57,19 @@
   They eventually become mixed with the numbered issues. (I.e., numbered
   issues do not "pop up" wrt. others).
 -->
+<section name="Tomcat 7.0.69-9 (csutherl)">
+  <subsection name="Catalina">
+    <changelog>
+      <add>
+        Add a new initialisation parameter, <code>envHttpHeaders</code>, to
+        the CGI Servlet to mitigate <a href="https://httpoxy.org">httpoxy</a>
+        (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388"
+        >CVE-2016-5388</a>) by default and to provide a mechanism that can be
+        used to mitigate any future, similar issues. (markt)
+      </add>
+    </changelog>
+  </subsection>
+</section>
 <section name="Tomcat 7.0.69-4 (csutherl)">
   <subsection name="Other">
     <changelog>