I noticed this way back when doing a bit of a security audit on
a project with a 3.4.10 codebase. It seems you can cause all KINDS of
craziness by passing form variables that start with dashes. If you
know how the code behaves, you have the potential to cause a lot
of damage.
In other words, I think it's a vulnerability waiting to happen -
similar to the old SQL smuggling attacks.
I ended up recommending we sweep the code and put "--" everywhere
where it wasn't already. It's not a great fix, though, because it is
too easy to miss.
