That is, we ended up handling e.g. "Repl:" as "Reply-To:" here, and thus
this can have side-effects on application behavior such as determining who
to send a reply to. As this might allow bypasses of mechanisms that sign
certain subset of relevant headers, this is rather problematic.

This is caused by only checking the length of the input string, but not
the length of the expected string for the name comparison.

Thanks to Marcus Brinkmann for discovering this.