Remove default strip of header name

gunicorn/config.py

@@ -2010,3 +2010,20 @@ class PasteGlobalConf(Setting):
 
         .. versionadded:: 19.7
         """
+
+
+class StripHeaderSpaces(Setting):
+    name = "strip_header_spaces"
+    section = "Server Mechanics"
+    cli = ["--strip-header-spaces"]
+    validator = validate_bool
+    action = "store_true"
+    default = False
+    desc = """\
+        Strip spaces present between the header name and the the ``:``.
+        
+        This is known to induce vulnerabilities and is not compliant with the HTTP/1.1 standard.
+        See https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.
+        
+        Use with care and only if necessary.
+        """

gunicorn/http/message.py

@@ -90,7 +90,10 @@ class Message(object):
             if curr.find(":") < 0:
                 raise InvalidHeader(curr.strip())
             name, value = curr.split(":", 1)
-            name = name.rstrip(" \t").upper()
+            if self.cfg.strip_header_spaces:
+                name = name.rstrip(" \t").upper()
+            else:
+                name = name.upper()
             if HEADER_RE.search(name):
                 raise InvalidHeaderName(name)
 

tests/requests/invalid/020.http

@@ -0,0 +1,4 @@
+GET /stuff/here?foo=bar HTTP/1.1\r\n
+Content-Length : 3\r\n
+\r\n
+xyz

tests/requests/invalid/020.py

@@ -0,0 +1,5 @@
+from gunicorn.config import Config
+from gunicorn.http.errors import InvalidHeaderName
+
+cfg = Config()
+request = InvalidHeaderName

tests/requests/valid/028.http

@@ -0,0 +1,4 @@
+GET /stuff/here?foo=bar HTTP/1.1\r\n
+Content-Length : 3\r\n
+\r\n
+xyz

tests/requests/valid/028.py

@@ -0,0 +1,14 @@
+from gunicorn.config import Config
+
+cfg = Config()
+cfg.set("strip_header_spaces", True)
+
+request = {
+    "method": "GET",
+    "uri": uri("/stuff/here?foo=bar"),
+    "version": (1, 1),
+    "headers": [
+        ("CONTENT-LENGTH", "3"),
+    ],
+    "body": b"xyz"
+}