RFC compliant header field+chunk validation

* update HEADER_RE and HEADER_VALUE_RE to match the RFCs
* update chunk length parsing to disallow 0x prefix and digit-separating underscores.

gunicorn/http/body.py

@@ -86,10 +86,9 @@ class ChunkedReader(object):
         line, rest_chunk = data[:idx], data[idx + 2:]
 
         chunk_size = line.split(b";", 1)[0].strip()
-        try:
-            chunk_size = int(chunk_size, 16)
-        except ValueError:
+        if any(n not in b"0123456789abcdefABCDEF" for n in chunk_size):
             raise InvalidChunkSize(chunk_size)
+        chunk_size = int(chunk_size, 16)
 
         if chunk_size == 0:
             try:

gunicorn/http/message.py

@@ -21,7 +21,7 @@ MAX_REQUEST_LINE = 8190
 MAX_HEADERS = 32768
 DEFAULT_MAX_HEADERFIELD_SIZE = 8190
 
-HEADER_RE = re.compile(r"[\x00-\x1F\x7F()<>@,;:\[\]={} \t\\\"]")
+HEADER_RE = re.compile(r"[^!#$%&'*+\-.\^_`|~0-9a-zA-Z]")
 METH_RE = re.compile(r"[A-Z0-9$-_.]{3,20}")
 VERSION_RE = re.compile(r"HTTP/(\d+)\.(\d+)")
 

gunicorn/http/wsgi.py

@@ -18,7 +18,7 @@ from gunicorn import util
 # with sending files in blocks over 2GB.
 BLKSIZE = 0x3FFFFFFF
 
-HEADER_VALUE_RE = re.compile(r'[\x00-\x1F\x7F]')
+HEADER_VALUE_RE = re.compile(r'[^ \t\x21-\x7e\x80-\xff]')
 
 log = logging.getLogger(__name__)