commit 4cc4e7dc856e1c763e0b36133016adad01cdf46f
from: Rafael Sadowski <rafael@sizeofvoid.org>
date: Sat May 30 16:27:52 2026 UTC

reject obs-fold with 400 (RFC 9112 5.2)

Replace silent kv_extend normalisation with an unconditional 400.
RFC 9112 5.2 explicitly permits rejection; it is the safer choice
over SP replacement, which hides parser ambiguity downstream.

commit - caed4502eeca392fd0b05d89d49209b1b751cdfd
commit + 4cc4e7dc856e1c763e0b36133016adad01cdf46f
blob - 5bd3259dec04240b34b8b577db66531444ffaa5b
blob + a320d6e3b266ded26bd505bb82e985e721660300
--- relay_http.c
+++ relay_http.c
@@ -261,23 +261,13 @@ relay_read_http(struct bufferevent *bev, void *arg)
 			continue;
 		}
 
-		/* Multiline headers wrap with a space or tab. */
+		/*
+		 * RFC 9112 section 5.2: reject obs-fold with 400
+		 * SP replacement hides parser ambiguity downstream
+		 */
 		if (*line == ' ' || *line == '\t') {
-			if (cre->line == 2) {
-				/* First header line cannot start with space. */
-				relay_abort_http(con, 400, "malformed", 0);
-				goto abort;
-			}
-
-			/* Append line to the last header, if present */
-			if (kv_extend(&desc->http_headers,
-			    desc->http_lastheader, line) == NULL) {
-				free(line);
-				goto fail;
-			}
-
-			free(line);
-			continue;
+			relay_abort_http(con, 400, "malformed", 0);
+			goto abort;
 		}
 
 		/* Process the last complete header line. */