diff --git a/tornado/httputil.py b/tornado/httputil.py
index e2e51dfa1b..53e5130837 100644
--- a/tornado/httputil.py
+++ b/tornado/httputil.py
@@ -889,6 +889,7 @@ class RequestStartLine(typing.NamedTuple):
 
 
 _http_version_re = re.compile(r"^HTTP/1\.[0-9]$")
+_http_method_re = re.compile(r"^[!#$%&'*+\-.^_`|~0-9A-Za-z]+$")
 
 
 def parse_request_start_line(line: str) -> RequestStartLine:
@@ -909,6 +910,10 @@ def parse_request_start_line(line: str) -> RequestStartLine:
         raise HTTPInputError(
             "Malformed HTTP version in HTTP Request-Line: %r" % version
         )
+    if not _http_method_re.match(method):
+        raise HTTPInputError(
+            "Malformed method in HTTP Request-line: %r" % method
+        )
     return RequestStartLine(method, path, version)