Observe that the server responds 405, indicating a syntactically valid but unsupported method, instead of 400, which would indicate a syntactically invalid message. Further, note that the 405 response does not contain an Allow header, even though RFC 9110 requires one to be present.
Expected behavior
Tornado should reject the request because its method is invalid due to containing forbidden characters. The HTTP RFCs define that only the following characters are permitted within an HTTP method:
(where DIGIT stands for ASCII digits (0-9) and ALPHA stands for ASCII letters (a-zA-Z))
All of the characters in the above request's method are disallowed, so the request should be rejected with a 400.
Nearly all other HTTP implementations reject this request with 400, including AIOHTTP, Apache httpd, FastHTTP, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Ktor, Libevent, Lighttpd, Mongoose, Nginx, Node.js, LiteSpeed, Passenger, Puma, ServiceTalk, Tomcat, Twisted, OpenWrt uhttpd, Unicorn, Uvicorn, Waitress, WEBrick, and OpenBSD httpd.
Impact
Because 405 is heuristically cacheable, and different servers may have different interpretations of which bytes are invalid in headers, this behavior may be usable for cache poisoning.
Steps to reproduce
Allow
header, even though RFC 9110 requires one to be present.Expected behavior
Tornado should reject the request because its method is invalid due to containing forbidden characters. The HTTP RFCs define that only the following characters are permitted within an HTTP method:
(where DIGIT stands for ASCII digits (0-9) and ALPHA stands for ASCII letters (a-zA-Z))
All of the characters in the above request's method are disallowed, so the request should be rejected with a 400.
Nearly all other HTTP implementations reject this request with 400, including AIOHTTP, Apache httpd, FastHTTP, Go net/http, Gunicorn, H2O, HAProxy, Hyper, Hypercorn, Jetty, Ktor, Libevent, Lighttpd, Mongoose, Nginx, Node.js, LiteSpeed, Passenger, Puma, ServiceTalk, Tomcat, Twisted, OpenWrt uhttpd, Unicorn, Uvicorn, Waitress, WEBrick, and OpenBSD httpd.
Impact
Because 405 is heuristically cacheable, and different servers may have different interpretations of which bytes are invalid in headers, this behavior may be usable for cache poisoning.
Tornado version
master @ 100d4db2ea3ef76d0ad400c890db9e2c94331296