Disallow BWS in header field-names

Waitress used to treat:

Foo : bar

As a valid header, however
https://tools.ietf.org/html/rfc7230#section-3.2 states that this is not
valid.

2 files changed, 16 insertions, 0 deletions

diff --git a/waitress/parser.py b/waitress/parser.py
index 945e680..e2970cb 100644
--- a/waitress/parser.py
+++ b/waitress/parser.py
@@ -197,6 +197,10 @@ class HTTPRequestParser(object):
             index = line.find(b":")
             if index > 0:
                 key = line[:index]
+
+                if key != key.strip():
+                    raise ParsingError("Invalid whitespace after field-name")
+
                 if b"_" in key:
                     continue
                 value = line[index + 1 :].strip()
diff --git a/waitress/tests/test_parser.py b/waitress/tests/test_parser.py
index 04de127..463e0b2 100644
--- a/waitress/tests/test_parser.py
+++ b/waitress/tests/test_parser.py
@@ -242,6 +242,18 @@ class TestHTTPRequestParser(unittest.TestCase):
         else:  # pragma: nocover
             self.assertTrue(False)
 
+    def test_parse_header_invalid_whitespace(self):
+        from waitress.parser import ParsingError
+
+        data = b"GET /foobar HTTP/8.4\r\nfoo : bar\r\n"
+        try:
+            self.parser.parse_header(data)
+        except ParsingError as e:
+            self.assertIn("Invalid whitespace after field-name", e.args[0])
+        else:  # pragma: nocover
+            self.assertTrue(False)
+
+
 class Test_split_uri(unittest.TestCase):
     def _callFUT(self, uri):
         from waitress.parser import split_uri