Request smuggling vulnerability via stripping of Unicode whitespace

[kenballus]

I reported this bug privately back in June, but it still has not been fixed, so I am making a public issue here.

Gunicorn strips \xa0 and \x85 bytes from the ends of header names. Thus, Transfer-Encoding\xa0 is treated as equivalent to Transfer-Encoding, and Content-Length\x85 is treated as equivalent to Content-Length. This allows for request smuggling when Gunicorn is deployed behind a reverse proxy that allows through \xa0 or \x85. One such proxy is Apache Traffic Server.

PR #3059 fixes this vulnerability.