Gunicorn doesn't strip tabs and spaces from header values on the right

[kenballus]

The RFCs specify that header values can be prefixed and/or suffixed with any number of spaces and/or tabs, and that this whitespace should be ignored.

Currently, Gunicorn only ignores this whitespace on the left. For example, if you send the following request to Gunicorn:

GET / HTTP/1.1\r\n
Host: a\r\n
Test: \t abc \t \r\n
\r\n

...it sees a Test header value of abc \t , but it should see abc. Most other HTTP implementations, including AIOHTTP, Apache httpd, Cheroot, Go net/http, H2O, HAProxy, Hyper, Hypercorn, Jetty, Libsoup, Lighttpd, Mongoose, Netty, Node.js, LiteSpeed, Passenger, Tomcat, Tornado, Twisted, Unicorn, Uvicorn, Waitress, and WEBrick, strip the whitespace appropriately.

[pajod]

Definitely a good idea to strip the rightmost padding in the simple case.. yet I doubt it meaningfully reduces the burden on applications to gracefully deal with funny input, as long as the inconsistency about tabs in the middle remains. If you have knowledge of any other proxy or gateway recently changing their "replace each received obs-fold with one or more SP octets" approach, please link relevant bug trackers.