FastHTTP doesn't strip tabs from header values

When FastHTTP receives a header value suffixed or prefixed with tabs, they should be stripped according to the RFCs. This is what nearly all other HTTP implementations do, including AIOHTTP, Apache httpd, Cheroot, Go net/http, H2O, HAProxy, Hyper, Hypercorn, Jetty, Libsoup, Lighttpd, Mongoose, Netty, Node.js, LiteSpeed, Passenger, Tomcat, Tornado, Twisted, Unicorn, Uvicorn, Waitress, and WEBrick.

Instead, FastHTTP allows the tabs to persist into the header value.

This can be confirmed by
1. running a FastHTTP server that echos header values (like [this one](https://github.com/narfindustries/http-garden/blob/main/images/fasthttp/app.go)),
2. sending it a request with a header value prefixed and suffixed with tabs, and extracting the echoed header value:
```sh
printf 'GET / HTTP/1.1\r\nHost: whatever\r\nTest: \t abc \t\r\n\r\n' \
    | nc localhost 80 | grep '"headers"' \
    | jq '.["headers"][1][1]' \
    | xargs echo \
    | base64 -d  \
    | xxd
```
```
00000000: 0920 6162 6320 09                        . abc .
```

Notably, spaces *are* correctly stripped. Presumably, the patch should change [this function](https://github.com/valyala/fasthttp/blob/7760a5b5062313206a83d4dfa3b2ebc8fbc52fdc/header.go#L3385C1-L3393C2) to strip tabs in addition to spaces.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

FastHTTP doesn't strip tabs from header values #1808

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development