[core] reject WS following header field-name (fixes #2985)

reject whitespace following request header field-name and before colon
Such whitespace is forbidden in RFC 7230 Section 3.2.4.

strict header parsing is enabled by default in lighttpd.  However,
if explicitly disabled in lighttpd.conf, lighttpd will continue to
accept (and re-format) such field-names before passing to any backend.
  UNSAFE: server.http-parseopts = ( "header-strict" => "disable" )
  This is NOT RECOMMENDED since doing so disables other protections
  provided by lighttpd strict http header parsing.

(thx fedormixalich)

x-ref:
  stricter request header parsing
  https://redmine.lighttpd.net/issues/2985

1 files changed, 1 insertions, 11 deletions

diff --git a/tests/request.t b/tests/request.t
index 96ef077b..aa1cace0 100755
--- a/tests/request.t
+++ b/tests/request.t
@@ -8,7 +8,7 @@ BEGIN {
 
 use strict;
 use IO::Socket;
-use Test::More tests => 52;
+use Test::More tests => 51;
 use LightyTest;
 
 my $tf = LightyTest->new();
@@ -503,16 +503,6 @@ $t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 403 } ];
 ok($tf->handle_http($t) == 0, 'static file with forbidden pathinfo');
 
 
-print "\nConnection header\n";
-$t->{REQUEST}  = ( <<EOF
-GET /12345.txt HTTP/1.1
-Connection  : close
-Host: 123.example.org
-EOF
- );
-$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.1', 'HTTP-Status' => 200, 'HTTP-Content' => '12345'."\n", 'Content-Type' => 'text/plain', 'Connection' => 'close' } ];
-ok($tf->handle_http($t) == 0, 'Connection-header, spaces before ":"');
-
 $t->{REQUEST}  = ( <<EOF
 GET /12345.txt HTTP/1.1
 Connection: ,close