Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can be used to mitigate any future, similar issues.
tomcat/tc7.0.x/trunk/
tomcat/tc7.0.x/trunk/conf/web.xml