-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gunicorn doesn't strip tabs and spaces from header values on the right #3245
Comments
kenballus
changed the title
Gunicorn doesn't strip tabs and spaces from header values on the left
Gunicorn doesn't strip tabs and spaces from header values on the right
Jul 17, 2024
Definitely a good idea to strip the rightmost padding in the simple case.. yet I doubt it meaningfully reduces the burden on applications to gracefully deal with funny input, as long as the inconsistency about tabs in the middle remains. If you have knowledge of any other proxy or gateway recently changing their "replace each received obs-fold with one or more SP octets" approach, please link relevant bug trackers. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The RFCs specify that header values can be prefixed and/or suffixed with any number of spaces and/or tabs, and that this whitespace should be ignored.
Currently, Gunicorn only ignores this whitespace on the left. For example, if you send the following request to Gunicorn:
...it sees a
Test
header value ofabc \t
, but it should seeabc
. Most other HTTP implementations, including AIOHTTP, Apache httpd, Cheroot, Go net/http, H2O, HAProxy, Hyper, Hypercorn, Jetty, Libsoup, Lighttpd, Mongoose, Netty, Node.js, LiteSpeed, Passenger, Tomcat, Tornado, Twisted, Unicorn, Uvicorn, Waitress, and WEBrick, strip the whitespace appropriately.The text was updated successfully, but these errors were encountered: