From dc42cd7955d75fdc908a7cd8db0d6761cf96b3d4 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Tue, 12 Oct 2021 19:46:02 +0200
Subject: [PATCH 1/2] Bumped v2.1.4

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 787eff60..d041f128 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "llhttp",
-  "version": "2.1.3",
+  "version": "2.1.4",
   "description": "HTTP parser in LLVM IR",
   "main": "lib/llhttp.js",
   "types": "lib/llhttp.d.ts",

From 4ff9cbc23c2c98db750a575d4c0af6691d13d1a9 Mon Sep 17 00:00:00 2001
From: Jelle Licht <jlicht@fsfe.org>
Date: Wed, 13 Oct 2021 11:46:13 +0200
Subject: [PATCH 2/2] disable whitespace for special headers.

Co-authored-by: Akshay K <iit.akshay@gmail.com>
---
 src/llhttp/http.ts | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

diff --git a/src/llhttp/http.ts b/src/llhttp/http.ts
index 092a8e04..55ccaca0 100644
--- a/src/llhttp/http.ts
+++ b/src/llhttp/http.ts
@@ -45,6 +45,7 @@ const NODES: ReadonlyArray<string> = [
   'header_field_start',
   'header_field',
   'header_field_colon',
+  'header_field_colon_discard_ws',
   'header_field_general',
   'header_field_general_otherwise',
   'header_value_discard_ws',
@@ -361,13 +362,31 @@ export class HTTP {
       .select(SPECIAL_HEADERS, this.store('header_state', 'header_field_colon'))
       .otherwise(this.resetHeaderState('header_field_general'));
 
+    const onInvalidHeaderFieldChar =
+      p.error(ERROR.INVALID_HEADER_TOKEN, 'Invalid header field char');
+
+    const checkLenientFlagsOnColon = this.testFlags(FLAGS.LENIENT, {
+      1: n('header_field_colon_discard_ws'),
+    }, span.headerField.end().skipTo(onInvalidHeaderFieldChar));
+
     n('header_field_colon')
-      .match(' ', n('header_field_colon'))
+      // https://datatracker.ietf.org/doc/html/rfc7230#section-3.2.4
+      // Whitespace character is not allowed between the header field-name
+      // and colon. If the next token matches whitespace then throw an error.
+      //
+      // Add a check for the lenient flag. If the lenient flag is set, the
+      // whitespace token is allowed to support legacy code not following
+      // http specs.
+      .peek(' ', checkLenientFlagsOnColon)
       .peek(':', span.headerField.end().skipTo(n('header_value_discard_ws')))
       // Fallback to general header, there're additional characters:
       // `Connection-Duration` instead of `Connection` and so on.
       .otherwise(this.resetHeaderState('header_field_general'));
 
+    n('header_field_colon_discard_ws')
+       .match(' ', n('header_field_colon_discard_ws'))
+       .otherwise(n('header_field_colon'));
+
     n('header_field_general')
       .match(this.TOKEN, n('header_field_general'))
       .otherwise(n('header_field_general_otherwise'));