Panic in server when sending non-ASCII header value

[5225225]

Found via fuzzing.

Steps to reproduce:

1. run the server example (cargo run --example=server)
2. feed it the bad input (cat crash | nc localhost 8080)

crash is

GET https://example.com HTTP/1.1
Host:ȃ

and as base64 (to avoid encoding issues)

R0VUIGh0dHBzOi8vZXhhbXBsZS5jb20gSFRUUC8xLjEKSG9zdDrIgw0KDQo=

Full backtrace is long, I put it in the below gist.

https://gist.github.com/5225225/dd931721233609b6e6ce39d0705b0119

[Fishrock123]

We should not accept non-ASCII characters in headers (it is against the http spec as fare as I am aware), but it should be checked before we do things which make this assumption. This is a bug.

[pepoviola]

Hi 👋, I can check the spec and try to draft a pr to fix is non-ascii aren't allowed.

Thx!

[jbr]

I believe the point about the spec is correct but that means we should respond with an error code, not panic. We should never panic regardless of the spec

[jbr]

I believe #172 represents the same issue

[kyrias]

The spec currently recommends against non-ASCII header values but the only requirement is that the value is in an encoding that is a superset of ASCII and doesn't contain null, so UTF-8 values are completely valid just discouraged.

It's not unreasonable to handle it by explicitly returning an error though.