also disallow \r

gunicorn/http/body.py

@@ -91,9 +91,9 @@ def parse_chunk_size(self, unreader, data=None):
         chunk_size, *chunk_ext = line.split(b";", 1)
         if chunk_ext:
             chunk_size = chunk_size.rstrip(b" \t")
-            # Security: Don't newlines in chunk extension
+            # Security: Don't allow CRs and LFs in chunk extensions
             # This can cause request smuggling issues with some proxies
-            if b"\n" in chunk_ext[0]:
+            if any(c in chunk_ext[0] for c in (b"\n", b"\r")):
                 raise InvalidChunkExtension(chunk_ext[0])
         if any(n not in b"0123456789abcdefABCDEF" for n in chunk_size):
             raise InvalidChunkSize(chunk_size)