Closed
Description
Expected behavior
Netty shouldn't allow the invalid fold. According to RFC7230, https://tools.ietf.org/html/rfc7230#section-3.2.
header-field = field-name ":" OWS field-value OWS
field-name = token
field-value = *( field-content / obs-fold )
field-content = field-vchar [ 1*( SP / HTAB ) field-vchar ]
field-vchar = VCHAR / obs-text
obs-fold = CRLF 1*( SP / HTAB )
; obsolete line folding
; see Section 3.2.4
A Sp or HTAB should follow the CRLF. But Netty allow a CRLF without a SP or HTAB.

Actual behavior
Netty accept invalid fold. This may casue http smuggling.
Steps to reproduce
Send a request like this:
POST / HTTP/1.1
Host: example.com
Connection: close
Content-Length: 5
Content-Length:
6
0Minimal yet complete reproducer code (or URL to code)
Netty version
all
JVM version (e.g. java -version)
java version "1.8.0_181"
OS version (e.g. uname -a)
Darwin ZedddeMacBook-Pro.local 19.0.0 Darwin Kernel Version 19.0.0: Thu Oct 17 16:17:15 PDT 2019; root:xnu-6153.41.3~29/RELEASE_X86_64 x86_64
Metadata
Metadata
Assignees
Labels
No labels