According to RFC7230:
No whitespace is allowed between the header field-name and colon. In
the past, differences in the handling of such whitespace have led to
security vulnerabilities in request routing and response handling. A
server MUST reject any received request message that contains
whitespace between a header field-name and colon with a response code
of 400 (Bad Request). A proxy MUST remove any such whitespace from a
response message before forwarding the message downstream.
Error in test serverMustRejectHeaderWithSpaceBetweenHeaderNameAndColon.
Links to related tests: #644
The bug is valid, but the IT testing it is wrong. Additionally, the K3PO script testing it is wrong.
The error in the K3PO script is corrected in this PR.
The test serverMustRejectHeaderWithSpaceBetweenHeaderNameAndColon is wrong because it actually defines the behaviour that the acceptor should have, upon that particular request. So the acceptor is made to send back "HTTP 400", at this line.
So actually, after fixing the K3PO script (in the PR above), the test passes, but in reality the gateway does accept headers like "Invalid: header". So I do believe the test is actually wrong.
@a-zuckut , @dpwspoon
This issue is solved in this PR.
This PR doesn't contain unit tests or the merges from #644 since the unit tests are incorrect. I have mentioned in that pull request how they are incorrect. They were however tested, but the tests were not committed.
The PR referenced above should also be merged in kaazing/k3po.