A MIME header can include values defined on several lines.
Only the first line of each value was trimmed.
Make sure all the lines are trimmed before being aggregated.
Fixes#11204
Change-Id: Id92f384044bc6c4ca836e5dba2081fe82c82dc85
Reviewed-on: https://go-review.googlesource.com/15683
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
This was originally done in https://codereview.appspot.com/5690059
(Feb 2012) to deal with bad response headers coming back from webcams,
but it presents a potential security problem with HTTP request
smuggling for request headers containing "Content Length" instead of
"Content-Length".
Part of overall HTTP hardening for request smuggling. See RFC 7230.
Thanks to Régis Leroy for the report.
Change-Id: I92b17fb637c9171c5774ea1437979ae2c17ca88a
Reviewed-on: https://go-review.googlesource.com/11772
Reviewed-by: Russ Cox <rsc@golang.org>
Run-TryBot: Brad Fitzpatrick <bradfitz@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
A header of ": value" results in an empty key. Do not add
it to the headers, because RFC7230 (section 3.2) says that
field-names are tokens, which are one or more characters.
Fixes#11205.
Change-Id: I883be89da1489dc84f98523786b019d1d0169d46
Reviewed-on: https://go-review.googlesource.com/11242
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>