cherrypy · kenballus · Jun 15, 2026 · Jun 15, 2026
diff --git a/cheroot/server.py b/cheroot/server.py
@@ -221,6 +221,7 @@ def __call__(self, rfile, hdict=None):  # noqa: C901  # FIXME
         if hdict is None:
             hdict = {}
 
+        k = None
         hname = None
         while True:
             line = rfile.readline()
@@ -240,6 +241,8 @@ def __call__(self, rfile, hdict=None):  # noqa: C901  # FIXME
                 # NOTE: `BytesWarning('Comparison between bytes and int')`
                 # NOTE: The latter is equivalent and does not.
                 # It's a continuation line.
+                if k is None:
+                    raise ValueError('Illegal continuation line.')
                 v = line.strip()
             else:
                 try:

diff --git a/cheroot/test/test_core.py b/cheroot/test/test_core.py
@@ -399,6 +399,18 @@ def test_request_line_split_issue_1220(test_client):
     assert actual_resp_body == b'Hello world!'
 
 
+def test_parse_invalid_line_fold(test_client):
+    """Check that the first field line can't begin with whitespace."""
+    c = test_client.get_connection()
+    c._output(b'GET / HTTP/1.1\r\n invalid\r\n\r\n')
+    c._send_output()
+    response = _get_http_response(c, method='GET')
+    response.begin()
+    assert response.status == HTTP_BAD_REQUEST
+    assert response.read(26) == b'Illegal continuation line.'
+    c.close()
+
+
 def test_garbage_in(test_client):
     """Test that server sends an error for garbage received over TCP."""
     # Connect without SSL regardless of server.scheme

diff --git a/docs/changelog-fragments.d/728.bugfix.rst b/docs/changelog-fragments.d/728.bugfix.rst
@@ -0,0 +1,4 @@
+The server has been updated to respond 400 to requests in
+which the first header field line begins with whitespace,
+instead of 500.
+by :user:`kenballus`