Cheroot incorrectly strips \x0b, \x0c, and \x0d from the beginnings and ends of header values.

[kenballus]

❓ I'm submitting a ...

• 🐞 bug report
• 🐣 feature request
• ❓ question about the decisions made in the repository

🐞 Describe the bug. What is the current behavior?
When Cheroot receives a header field value that begins and/or ends with any number of \x0b, \x0c, or \x0d bytes, it strips them off. While the RFC does require the stripping of optional whitespace on either side of header values, this includes only SP and HTAB bytes.

❓ What is the motivation / use case for changing the behavior?
RFC compliance and avoidance of framing-related issues.

💡 To Reproduce
Steps to reproduce the behavior:

1. Start a Cheroot-based HTTP server that echos the headers. (e.g., this one)
2. Send it a request prefixed and suffixed with the aforementioned bytes, and extract the header value:

printf 'GET / HTTP/1.1\r\nHost: whatever\r\nTest: \x0b\x0c\x0dtest\x0d\x0c\x0b\r\n\r\n' \
    | timeout 1 nc 172.18.0.23 80 \
    | grep '"headers"' \
    | jq '.["headers"][1][1]' \
    | xargs echo \
    | base64 -d \
    | xxd

4. Observe that the \x0b, \x0c, and \x0d bytes were stripped:

00000000: 7465 7374                                test

💡 Expected behavior
The RFCs permit two behaviors:

1. Reject the request, since these characters are not permitted within header values.
   • AIOHTTP, Apache, Deno, FastHTTP, Go net/http, H2O, HAProxy, Hyper, Hypercorn, Jetty, Libevent, Lighttpd, Mongoose, Netty, Nginx, Node.js, Passenger, Puma, Tomcat, Uvicorn, Waitress, and WEBrick do this.
2. Translate the \x0d into SP, then process the request, appropriately stripping SP bytes (including those just created) and allowing \x0b and \x0c to stay in the value.
   • Libsoup, LiteSpeed, and Twisted do this.

📋 Environment

• Cheroot version: 10.0.2.dev71+g1ff20b18
• Python version: 3.11.9
• OS: Linux 3dd8401f8901 6.9.7-arch1-1 #1 SMP PREEMPT_DYNAMIC Fri, 28 Jun 2024 04:32:50 +0000 x86_64 GNU/Linux