From 5196a65ecced392f601a2a24bcf97969cce523de Mon Sep 17 00:00:00 2001
From: Demi Marie Obenour <demiobenour@gmail.com>
Date: Wed, 26 Mar 2025 15:00:31 -0400
Subject: [PATCH] Block leading and trailing whitespace in field values

This blocks header values with leading and trailing whitespace.
This is not needed for HTTP/1.x where the parser already strips
such whitespace, but in HTTP/2 and HTTP/3 the parser does not
strip such whitespace and so it is up to the `http` crate to reject
such headers.

Different HTTP/2 and HTTP/3 libraries treat such values
differently, so rejection is the safest option.

Fixes #245
---
 src/header/value.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/header/value.rs b/src/header/value.rs
index 99d1e155..eb9abc93 100644
--- a/src/header/value.rs
+++ b/src/header/value.rs
@@ -241,7 +241,14 @@ impl HeaderValue {
         src: T,
         into: F,
     ) -> Result<HeaderValue, InvalidHeaderValue> {
-        for &b in src.as_ref() {
+        let u8_slice = src.as_ref();
+        match u8_slice {
+            [b' ', ..] | [b'\t', ..] | [.., b' '] | [.., b'\t'] => {
+                return Err(InvalidHeaderValue { _priv: () })
+            }
+            _ => (),
+        };
+        for &b in u8_slice {
             if !is_valid(b) {
                 return Err(InvalidHeaderValue { _priv: () });
             }