Definition of HTTP field-content is stricter than validate_headers

[nigoroll]

Upon review I noticed that our validate_headers implementation from #3407

varnish-cache/bin/varnishd/cache/cache_vrt.c

Lines 542 to 552 in 58e2e8a

	// rfc7230,l,1243,1244
	// ASCII VCHAR + TAB + obs-text (0x80-ff)
	static inline VCL_BOOL
	validhdr(const char *p)
	{
	AN(p);
	for(;*p != '\0'; p++)
	if (! vct_ishdrval(*p))
	return (0);
	return (1);
	}

varnish-cache/include/vct.h

Lines 88 to 89 in 58e2e8a

	#define vct_ishdrval(x) \
	(((uint8_t)(x) >= 0x20 && (uint8_t)(x) != 0x7f) ||(uint8_t)(x) == 0x09)

allows *( field-vchar / SP / HTAB) while already RFC7230 defined

     field-content  = field-vchar                                    
                      [ 1*( SP / HTAB ) field-vchar ]

This has not changed with RFC9110, which removed the line folding:

  field-value    = *field-content
  field-content  = field-vchar
                   [ 1*( SP / HTAB / field-vchar ) field-vchar ]
  field-vchar    = VCHAR / obs-text
  obs-text       = %x80-FF

Unless I overlook anything (again), I think we can summarize as "any positive amount of SP/HTAB needs to be enclosed by field-vchar", which should be equivalent to "the last and first character of field-content need to be field-vchar".

Do we want to make our implementation more strict?

[nigoroll]

bugwash: yes, we want to tighten the check
Todo: write the code