Mongoose terminates HTTP headers improperly
kenballus opened this issue · comments
From RFC 9112:
Although the line terminator for the start-line and fields is the sequence CRLF, a recipient MAY recognize a single LF as a line terminator and ignore any preceding CR.
A sender MUST NOT generate a bare CR (a CR character not immediately followed by LF) within any protocol elements other than the content. A recipient of such a bare CR MUST consider that element to be invalid or replace each bare CR with SP before processing the element or forwarding the message.
Mongoose terminates headers on bare CR, in violation of the standard. For example, the following request is parsed incorrectly:
GET / HTTP/1.1\r\n
Whatever: whatever\rContent-Length: 10\r\n
\r\n
0123456789
Mongoose interprets this message as having a Content-Length header, and consequently interprets the 0123456789 as being the request body. A standards-compliant HTTP server would either replace the '\r' with a space, and thus see a Whatever: whatever Content-Length: 10
header, or reject the message and respond 400.