[ ] β question about the decisions made in the repository
π Describe the bug. What is the current behavior?
Cheroot allows empty HTTP header names, which are not valid according to the field-name grammar from RFC 9110.
β What is the motivation / use case for changing the behavior?
In the past, empty header names have been used to execute request smuggling attacks, due to the fact that some gateways have historically treated \r\n:\r\n equivalently to \r\n\r\n.
π‘ To Reproduce
Start a Cheroot-based HTTP server, and send it a request with an empty header name. For example,
GET / HTTP/1.1\r\n
Host: whatever\r\n
: no-name\r\n
\r\n
You will see that the request is accepted, and the empty header is treated just like any other header.
π‘ Expected behavior
Cheroot should respond 400.
This is what most other HTTP implementations (including AIOHTTP, Apache, Daphne, Deno, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, LiteSpeed, Passenger, Puma, Tomcat, Unicorn, Uvicorn, Waitress, and WEBrick) do.
β I'm submitting a ...
π Describe the bug. What is the current behavior? Cheroot allows empty HTTP header names, which are not valid according to the field-name grammar from RFC 9110.
β What is the motivation / use case for changing the behavior? In the past, empty header names have been used to execute request smuggling attacks, due to the fact that some gateways have historically treated
\r\n:\r\nequivalently to\r\n\r\n.π‘ To Reproduce Start a Cheroot-based HTTP server, and send it a request with an empty header name. For example,
You will see that the request is accepted, and the empty header is treated just like any other header.
π‘ Expected behavior Cheroot should respond 400. This is what most other HTTP implementations (including AIOHTTP, Apache, Daphne, Deno, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Lighttpd, Nginx, Node.js, LiteSpeed, Passenger, Puma, Tomcat, Unicorn, Uvicorn, Waitress, and WEBrick) do.
π Environment