HTTP parser: stricter chunk-ext OBS handling

chunk extensions are silently ignored before and after this change;
its just the whitespace handling for the case without extensions that matters
applying same strip(WS)->rstrip(BWS) replacement as already done in related cases

half-way fix: could probably reject all BWS cases, rejecting only misplaced ones

gunicorn/http/body.py

@@ -85,7 +85,10 @@ def parse_chunk_size(self, unreader, data=None):
         data = buf.getvalue()
         line, rest_chunk = data[:idx], data[idx + 2:]
 
-        chunk_size = line.split(b";", 1)[0].strip()
+        # RFC9112 7.1.1: BWS before chunk-ext - but ONLY then
+        chunk_size, *chunk_ext = line.split(b";", 1)
+        if chunk_ext:
+            chunk_size = chunk_size.rstrip(b" \t")
         if any(n not in b"0123456789abcdefABCDEF" for n in chunk_size):
             raise InvalidChunkSize(chunk_size)
         chunk_size = int(chunk_size, 16)

tests/requests/invalid/chunked_09.http

@@ -0,0 +1,7 @@
+POST /chunked_ows_without_ext HTTP/1.1\r\n
+Transfer-Encoding: chunked\r\n
+\r\n
+5\r\n
+hello\r\n
+0 \r\n
+\r\n

tests/requests/invalid/chunked_09.py

@@ -0,0 +1,2 @@
+from gunicorn.http.errors import InvalidChunkSize
+request = InvalidChunkSize

tests/requests/invalid/chunked_10.http

@@ -0,0 +1,7 @@
+POST /chunked_ows_before HTTP/1.1\r\n
+Transfer-Encoding: chunked\r\n
+\r\n
+5\r\n
+hello\r\n
+ 0\r\n
+\r\n

tests/requests/invalid/chunked_10.py

@@ -0,0 +1,2 @@
+from gunicorn.http.errors import InvalidChunkSize
+request = InvalidChunkSize

tests/requests/invalid/chunked_11.http

@@ -0,0 +1,7 @@
+POST /chunked_ows_before HTTP/1.1\r\n
+Transfer-Encoding: chunked\r\n
+\r\n
+5\n;\r\n
+hello\r\n
+0\r\n
+\r\n

tests/requests/invalid/chunked_11.py

@@ -0,0 +1,2 @@
+from gunicorn.http.errors import InvalidChunkSize
+request = InvalidChunkSize

tests/requests/valid/025.http

@@ -3,7 +3,7 @@ Transfer-Encoding: chunked\r\n
 \r\n
 5; some; parameters=stuff\r\n
 hello\r\n
-6; blahblah; blah\r\n
+6 \t;\tblahblah; blah\r\n
  world\r\n
 0\r\n
 \r\n