Cheroot is vulnerable to request smuggling via multiple Content-Length headers

[kenballus]

❓ I'm submitting a ...

• 🐞 bug report
• 🐣 feature request
• ❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?
Cheroot accepts requests with multiple Content-Length headers, prioritizing the second. It is therefore vulnerable to request smuggling when paired with a gateway server that forwards requests with multiple Content-Length headers, prioritizing the first.

❓ What is the motivation / use case for changing the behavior?
This is a vulnerability.

I reported this privately through the official channel on June 8th, 2024, but received no response.

💡 To Reproduce

1. Start a cheroot-based web server.
2. Send it an otherwise valid request with multiple Content-Length headers.
3. Watch it prioritize the second header over the first.

💡 Expected behavior

The request should be rejected with status 400.

📋 Environment

• Cheroot version: main branch, commit 088647e
• Python version: Python 3.14.0a3+
• OS: Linux 8a89c2a1a5fb 6.1.0-25-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.106-3 (2024-08-26) x86_64 GNU/Linux

[webknjaz]

Yes, I can see the reports. Haven't had a chance to triage them.