Duplicate Content-Type Parsing Error

[TUO-Wu]

Version
84d06b8

Platform
Ubuntu 11.4.0-1ubuntu1~22.04

Description
Hello, I may have found a bug in hypercorn's parsing of HTTP requests with duplicate Content-Type header.
RFC 9110 says these:

Although Content-Type is defined as a singleton field, it is sometimes incorrectly generated multiple times, resulting in a combined field value that appears to be a list. Recipients often attempt to handle this error by using the last syntactically valid member of the list, leading to potential interoperability and security issues if different implementations have different error handling behaviors.

Waitress does not reject such requests. For example:

POST / HTTP/1.1\r\n
Host: victim.com\r\n
Content-Type: text/plain\r\n
Content-Type: application/json\r\n
\r\n

$ echo -ne "POST / HTTP/1.1\r\nHost: victim.com\r\nContent-Type: text/plain\r\nContent-Type: application/json\r\n\r\n" | nc 172.18.0.10 80
HTTP/1.1 200 
content-length: 193
date: Thu, 20 Mar 2025 15:08:44 GMT
server: hypercorn-h11

{"uri":"Lw==","headers":[["aG9zdA==","dmljdGltLmNvbQ=="],["Y29udGVudC10eXBl","dGV4dC9wbGFpbg=="],["Y29udGVudC10eXBl","YXBwbGljYXRpb24vanNvbg=="]],"version":"MS4x","body":"","method":"UE9TVA=="}

Recipients often attempt to handle this error by using the last syntactically valid member of the list, leading to potential interoperability and security issues if different implementations have different error handling behaviors.

If different implementations have different error handling behaviors, there may be potential interoperability and security issues. So I might suggest rejecting such requests.