Reject multiple transfer-encoding headers and transfer-encoding headers with obs

[jeremyevans]

Fixes #204

[hsbt]

@jeremyevans /cc @ioquatix I recently revised our repository permissions, which previously allowed all committers to write. In the process, I forgot to explicitly keep the write access for you.

I have restored it now. Sorry to your inconvenience.

[rodtvs]

Thank you for the fix! I reviewed the changes and the two Transfer-Encoding smuggling vectors are correctly addressed:

• Duplicate TE headers (TE.TE desync): raising BadRequest on the second Transfer-Encoding header prevents front-end/back-end desynchronization caused by conflicting TE values.
• obs-fold on TE: rejecting obsolete line folding on Transfer-Encoding closes the vector where a continuation line could produce an ambiguous effective value (e.g., chunked identity) that proxies and backends interpret differently.

Both test cases (test_multiple_transfer_encoding_headers and test_transfer_encoding_header_with_obs) cover the attack scenarios appropriately. The fix is RFC 9112 6.1 and 5.2 compliant.

Thanks @hsbt and @jeremyevans ! ❤️