From ede37bd316a41a9afb4e307ac80e311dad1bfdb3 Mon Sep 17 00:00:00 2001
From: Andrew Dang <andrewdang357@gmail.com>
Date: Sat, 27 Jun 2026 02:14:23 -0500
Subject: [PATCH 1/2] Reject invalid HTTP method token characters

---
 cheroot/server.py         |  5 +++++
 cheroot/test/test_core.py | 11 +++++++++++
 2 files changed, 16 insertions(+)

diff --git a/cheroot/server.py b/cheroot/server.py
index 284cf17c72..c8ade77b1b 100644
--- a/cheroot/server.py
+++ b/cheroot/server.py
@@ -162,6 +162,7 @@
 FORWARD_SLASH = b'/'
 QUOTED_SLASH = b'%2F'
 QUOTED_SLASH_REGEX = re.compile(b''.join((b'(?i)', QUOTED_SLASH)))
+HTTP_TOKEN_RE = re.compile(br"^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$")
 
 
 _STOPPING_FOR_INTERRUPT = Exception()  # sentinel used during shutdown
@@ -826,6 +827,10 @@ def read_request_line(self):  # noqa: C901  # FIXME
             self.simple_response('400 Bad Request', 'Malformed Request-Line')
             return False
 
+        if not HTTP_TOKEN_RE.match(method):
+            self.simple_response('400 Bad Request', 'Malformed method name')
+            return False
+
         self.uri = uri
         self.method = method.upper()
 
diff --git a/cheroot/test/test_core.py b/cheroot/test/test_core.py
index cd3841d428..aa7ffe2c3a 100644
--- a/cheroot/test/test_core.py
+++ b/cheroot/test/test_core.py
@@ -420,6 +420,17 @@ def test_garbage_in(test_client):
             raise
 
 
+def test_invalid_character_in_http_method(test_client):
+    """Check that methods with invalid token characters are rejected."""
+    c = test_client.get_connection()
+    c._output(b'GE(T / HTTP/1.1\r\nHost: localhost\r\n\r\n')
+    c._send_output()
+    response = _get_http_response(c, method='GET')
+    response.begin()
+    assert response.status == HTTP_BAD_REQUEST
+    c.close()
+
+
 class CloseController:
     """Controller for testing the close callback."""
 

From 25e929280b22538e57cc0c1f6b6f2a4a1c09c810 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Sat, 27 Jun 2026 07:16:43 +0000
Subject: [PATCH 2/2] [pre-commit.ci] auto fixes from pre-commit.com hooks

for more information, see https://pre-commit.ci
---
 cheroot/server.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/cheroot/server.py b/cheroot/server.py
index c8ade77b1b..856d07424a 100644
--- a/cheroot/server.py
+++ b/cheroot/server.py
@@ -162,7 +162,7 @@
 FORWARD_SLASH = b'/'
 QUOTED_SLASH = b'%2F'
 QUOTED_SLASH_REGEX = re.compile(b''.join((b'(?i)', QUOTED_SLASH)))
-HTTP_TOKEN_RE = re.compile(br"^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$")
+HTTP_TOKEN_RE = re.compile(rb"^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$")
 
 
 _STOPPING_FOR_INTERRUPT = Exception()  # sentinel used during shutdown