Strip header trailing ows

[ioquatix]

Fixes #47.

Types of Changes

• Bug fix.

Contribution

• I added tests for my changes.
• I tested my changes locally.
• I agree to the Developer's Certificate of Origin 1.1.

[kenballus]

This patch introduces a vulnerability, and should not be merged as-is.

Because rstrip strips \x0b and \x0c in addition to the characters we want, this causes the server to interpret Transfer-Encoding: chunked\x0c equivalently to Transfer-Encoding: chunked. This renders the server vulnerable to request smuggling when used with proxies that forward unrecognized transfer-codings (of which there are many).

This is why my original patch used a regex; rstrip alone is not the right tool for the job.

[ioquatix]

Thanks for your feedback. In Ruby 4+, we can write rstrip(" \t") which is fast. We can probably use a combination of sub on Ruby < 4 and rstrip(" \t") on Ruby 4+.