fix(header): disallow Trailer which were denied by RFC 7230

spaceone · spaceone · commit 61aefc8a81fc · 2026-05-30T23:09:24.000+02:00
RFC 7230 section 4.1.2 disallows various headers to be set as trailers.
The original list has been extended to include these.

This prevents check-time / use-time desynchronization attacks.
diff --git a/httoop/header/messaging.py b/httoop/header/messaging.py
@@ -426,7 +426,21 @@ class Trailer(_HopByHopElement, HeaderElement):
 
     is_response_header = True
     is_request_header = True
-    forbidden_headers = ('Transfer-Encoding', 'Content-Length', 'Trailer')
+    forbidden_headers = (
+        # framing
+        'Transfer-Encoding', 'Content-Length',
+        # routing
+        'Host',
+        # request modifiers (controls, conditionals)
+        'Expect', 'Max-Forwards',
+        'If-Match', 'If-None-Match', 'If-Modified-Since', 'If-Unmodified-Since', 'If-Range',
+        # authentication and state management
+        'Authorization', 'Proxy-Authorization', 'Cookie', 'Set-Cookie',
+        # response control data
+        'Age', 'Cache-Control', 'Expires', 'Date', 'Location', 'Retry-After', 'Vary', 'Warning',
+        # payload processing
+        'Content-Encoding', 'Content-Type', 'Content-Range', 'Trailer',
+    )  # fmt: off
 
     def sanitize(self) -> None:
         if self.value.title() in self.forbidden_headers:
diff --git a/httoop/parser.py b/httoop/parser.py
@@ -7,6 +7,7 @@
 
 from httoop.exceptions import Invalid, InvalidBody, InvalidBodySize, InvalidHeader, InvalidHeaderSize, InvalidLine, InvalidURI
 from httoop.header import Headers
+from httoop.header.messaging import Trailer
 from httoop.messages import Message
 from httoop.status import BAD_REQUEST, NOT_IMPLEMENTED, PAYLOAD_TOO_LARGE, REQUEST_HEADER_FIELDS_TOO_LARGE
 from httoop.util import _, integer
@@ -306,6 +307,11 @@ def parse_trailers(self) -> bool:
             exc = InvalidHeader(_('Invalid trailers: %r'), str(exc))
             raise BAD_REQUEST(str(exc))
 
+        for forbidden in Trailer.forbidden_headers:
+            if forbidden in self.trailers:
+                exc = InvalidHeader(_('A Trailer header MUST NOT contain %r field.'), forbidden)
+                raise BAD_REQUEST(str(exc))
+
         self.merge_trailer_into_header()
         return False
 
