CR incorrectly permitted within header values

[kenballus]

WEBrick allows CR (\r) within header values. RFC 9110 says not to do this:

Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message.

The suggested fix here would be to reject requests with headers containing bare CR.

[jeremyevans]

@kenballus I submitted #138 to attempt to fix this, but it goes a little further than just disallowing CR in header values. Any chance you could review and let me know if I've made it stricter than what the RFCs allow?