Part two sounds a bit similar to this (insofar as it looks like somewhat wonky parsing/sanitizing of header values).