mirror of
https://github.com/frappe/gunicorn.git
synced 2026-01-14 11:09:11 +08:00
eda9d456d3
New parser rule: refuse HTTP requests where a header field value contains characters that a) should never appear there in the first place, b) might have lead to incorrect treatment in a proxy in front, and c) might lead to unintended behaviour in applications. From RFC 9110 section 5.5: "Field values containing CR, LF, or NUL characters are invalid and dangerous, due to the varying ways that implementations might parse and interpret those characters; a recipient of CR, LF, or NUL within a field value MUST either reject the message or replace each of those characters with SP before further processing or forwarding of that message."