the function is_legal_header_name should not allow any control character (octets 0 - 31) and DEL (127) about kiss-headers HOT 7 CLOSED

Hi,

Thank you for the report.
I've tested your entries :

    from requests import get

    entries = [
        '\x00',
        '\x07',
        'invalid"',
        'invalid/'
    ]

    for entry in entries:

        r = get(
            "https://httpbin.org/headers",
            headers={
                entry: "test"
            }
        )

        print(
            entry,
            "KO" if r.status_code == 400 else "OK"
        )

KO = does not work and the remote server responds with 400/INVALID REQUEST
OK = Fine

• 'invalid"' is KO
• 'invalid/' is OK
• '\x07' is KO
• '\x00' is KO

from kiss-headers.

Further tests on the '/' indicate that this character is allowed anywhere, beginning, ending, multiple times.

from kiss-headers.

More:

from kiss_headers import parse_it
from kiss_headers.utils import is_legal_header_name
from requests import get, post


if __name__ == "__main__":

    entries = [
        'invalid/',
        '/invalid',
        '/',
        '//invalid/'
    ]

    for entry in entries:

        r = get(
            "https://httpbin.org/headers",
            headers={
                entry: "test"
            }
        )

        print(
            entry,
            "KO" if r.status_code == 400 else "OK",
            f"is_legal_header_name({is_legal_header_name(entry)})"
        )

from kiss-headers.

cf. PR #42

• v2.2.4

from kiss-headers.

Remote server of httpgin.org is "gunicorn" which not always follow the original source (RFCs),
even more widely used server such as the nginx, is a followling of the original source.

One more thing, the "\x7f" maybe risky for commandline environment (terminal) such as logging to some kind of console.
Fine, we can say the meaning of the 7F unicode codepoint has been unclear, it all depends.

Anyway, what I cause this issue is only because of the RFC defined below:

RFC2616 https://tools.ietf.org/html/rfc2616#page-17

message-header = field-name ":" [ field-value ]
field-name     = token
token          = 1*<any CHAR except CTLs or separators>
separators     = "(" | ")" | "<" | ">" | "@"
               | "," | ";" | ":" | "\" | <">
               | "/" | "[" | "]" | "?" | "="
               | "{" | "}" | SP | HT

RFC7230 https://tools.ietf.org/html/rfc7230#page-27

... Delimiters are chosen from the set of US-ASCII
    visual characters not allowed in a token
    (DQUOTE and "(),/:;<=>?@[\]{}").

header-field   = field-name ":" OWS field-value OWS
field-name     = token
token          = 1*tchar
tchar          = "!" / "#" / "$" / "%" / "&" / "'" / "*"
               / "+" / "-" / "." / "^" / "_" / "`" / "|" / "~"
               / DIGIT / ALPHA
               ; any VCHAR, except delimiters

which said separators or delimiters are excepted (the "/" is not allowed).

from kiss-headers.

We have to be flexible regarding the RFC. I did not say that httpbin was RFC compliant.
Flexible but not too much.

For ref, look at encode/httpx#1363 + all related topics/issues on httpx deps.

from kiss-headers.

python-hyper/h11#113

from kiss-headers.