style: re-verbosify HTTP commentary

gunicorn/http/message.py

@@ -178,16 +178,17 @@ def set_body_reader(self):
  elif name == "TRANSFER-ENCODING":
  # T-E can be a list
  # https://datatracker.ietf.org/doc/html/rfc9112#name-transfer-encoding
- vals = [v.strip() for v in value.split(',')]
- for val in vals:
+ te_split_at_comma = [v.strip() for v in value.split(',')]
+ # N.B. we might have split in the middle of quoted transfer-parameter
+ for val in te_split_at_comma:
  if val.lower() == "chunked":
  # DANGER: transfer codings stack, and stacked chunking is never intended
  if chunked:
  raise InvalidHeader("TRANSFER-ENCODING", req=self)
  chunked = True
  elif val.lower() == "identity":
  # does not do much, could still plausibly desync from what the proxy does
- # safe option: nuke it, its never needed
+ # safe option: reject, its never needed
  if chunked:
  raise InvalidHeader("TRANSFER-ENCODING", req=self)
  elif val.lower() in ('compress', 'deflate', 'gzip'):
@@ -196,18 +197,22 @@ def set_body_reader(self):
  raise InvalidHeader("TRANSFER-ENCODING", req=self)
  self.force_close()
  else:
+ # DANGER: this not only rejects unknown encodings, but also
+ # leftovers from not splitting at transfer-coding boundary
  raise UnsupportedTransferCoding(value)
 
  if chunked:
  # two potentially dangerous cases:
  # a) CL + TE (TE overrides CL.. only safe if the recipient sees it that way too)
  # b) chunked HTTP/1.0 (always faulty)
  if self.version < (1, 1):
- # framing wonky, see RFC 9112 Section 6.1
+ # framing is faulty
+ # https://datatracker.ietf.org/doc/html/rfc9112#section-6.1-16
  raise InvalidHeader("TRANSFER-ENCODING", req=self)
  if content_length is not None:
  # we cannot be certain the message framing we understood matches proxy intent
  # -> whatever happens next, remaining input must not be trusted
+ # https://datatracker.ietf.org/doc/html/rfc9112#section-6.1-15
  raise InvalidHeader("CONTENT-LENGTH", req=self)
  self.body = Body(ChunkedReader(self, self.unreader))
  elif content_length is not None: