From 804e3133a54088fc879c5e791bbe14bb8eb625f9 Mon Sep 17 00:00:00 2001
From: Bert JW Regeer <bertjw@regeer.org>
Date: Thu, 12 Dec 2019 17:52:05 -0800
Subject: [PATCH] Disallow BWS in header field-names

Waitress used to treat:

Foo : bar

As a valid header, however
https://tools.ietf.org/html/rfc7230#section-3.2 states that this is not
valid.
---
 waitress/parser.py            |  4 ++++
 waitress/tests/test_parser.py | 12 ++++++++++++
 2 files changed, 16 insertions(+)

diff --git a/waitress/parser.py b/waitress/parser.py
index 945e6808..e2970cbf 100644
--- a/waitress/parser.py
+++ b/waitress/parser.py
@@ -197,6 +197,10 @@ def parse_header(self, header_plus):
             index = line.find(b":")
             if index > 0:
                 key = line[:index]
+
+                if key != key.strip():
+                    raise ParsingError("Invalid whitespace after field-name")
+
                 if b"_" in key:
                     continue
                 value = line[index + 1 :].strip()
diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py
index 04de1271..463e0b23 100644
--- a/waitress/tests/test_parser.py
+++ b/waitress/tests/test_parser.py
@@ -242,6 +242,18 @@ def test_parse_header_extra_lf_in_first_line(self):
         else:  # pragma: nocover
             self.assertTrue(False)
 
+    def test_parse_header_invalid_whitespace(self):
+        from waitress.parser import ParsingError
+
+        data = b"GET /foobar HTTP/8.4\r\nfoo : bar\r\n"
+        try:
+            self.parser.parse_header(data)
+        except ParsingError as e:
+            self.assertIn("Invalid whitespace after field-name", e.args[0])
+        else:  # pragma: nocover
+            self.assertTrue(False)
+
+
 class Test_split_uri(unittest.TestCase):
     def _callFUT(self, uri):
         from waitress.parser import split_uri