commit d3c94cd1971d92a812aca9d7f4de89ab6dd636f4
from: Rafael Sadowski <rafael@sizeofvoid.org>
date: Sat May 30 16:05:36 2026 UTC

reject obs-fold with 400 (RFC 9112 5.2)

Replace silent kv_extend normalisation with an unconditional 400.
RFC 9112 5.2 explicitly permits rejection; it is the safer choice
over SP replacement, which hides parser ambiguity downstream.

commit - 432905dcdca8c4c7e19cd39c66a6a88739ada1a8
commit + d3c94cd1971d92a812aca9d7f4de89ab6dd636f4
blob - fb3ec67ae0e4b22d64f519bceb51b301c5b1e38b
blob + 9b6ec027eea015a3f654cfccf62d3139b5d6d75c
--- server_http.c
+++ server_http.c
@@ -284,31 +284,23 @@ server_read_http(struct bufferevent *bev, void *arg)
 		 */
 		if (++clt->clt_line == 1)
 			value = strchr(key, ' ');
-		else if (*key == ' ' || *key == '\t')
-			/* Multiline headers wrap with a space or tab */
-			value = NULL;
+		else if (*key == ' ' || *key == '\t') {
+			/*
+			 * RFC 9112 section 5.2: reject obs-fold with 400
+			 * SP replacement hides parser ambiguity downstream
+			 */
+			server_abort_http(clt, 400, "malformed");
+			goto abort;
+		}
 		else {
-			/* Not a multiline header, should have a : */
 			value = strchr(key, ':');
-			if (value == NULL) {
-				server_abort_http(clt, 400, "malformed");
-				goto abort;
-			}
 		}
+
 		if (value == NULL) {
-			if (clt->clt_line == 1) {
-				server_abort_http(clt, 400, "malformed");
-				goto abort;
-			}
-
-			/* Append line to the last header, if present */
-			if (kv_extend(&desc->http_headers,
-			    desc->http_lastheader, line) == NULL)
-				goto fail;
-
-			free(line);
-			continue;
+			server_abort_http(clt, 400, "malformed");
+			goto abort;
 		}
+
 		if (*value == ':') {
 			*value++ = '\0';
 			value += strspn(value, " \t\r\n");