Puma's header normalization allows for client to clobber proxy set headers
Impact Clients could clobber values set by intermediate proxies such as X-Forwarded-For by providing a underscore version of the same header X-ForwardedFor. Any users trusting headers set by their proxy may be affected. Attackers may be able to downgrade connections to HTTP non-SSL or redirect...
