Tornado does not reject messages with BWS after field-name

[ZeddYu]

RFC 7230: server MUST reject messages with BWS after field-name (#445) Obey the RFC requirement to reject HTTP requests with whitespace between field-name and the colon delimiter. Rejection is critical in the presence of broken HTTP agents that mishandle malformed messages.

If not, it will be used to smuggle http request.

Test code:

import tornado.ioloop
import tornado.web

class MainHandler(tornado.web.RequestHandler):
    def get(self):
        self.write("Hello, world")
    
    def post(self):
        data = self.request.body
        self.write(str(data))

def make_app():
    return tornado.web.Application([
        (r"/", MainHandler),
    ])

if __name__ == "__main__":
    app = make_app()
    app.listen(8000)
    tornado.ioloop.IOLoop.current().start()

Test script:

printf 'POST / HTTP/1.1\r\n'\
'Host:localhost\r\n'\
'Content-length : 5\r\n'\
'Connection: close\r\n'\
'\r\n'\
'a=3\r\n'\
'\r\n'\
| nc -w 1 127.0.0.1 8000

Expected behavior: return 400

Actual behavior: return 200

Version: tornado 6.0.3 python 3.7.5