http2: use ASCII space trimming for parsing Trailer header
Security hardening against HTTP request smuggling recommended by an
external reporter.
Change-Id: I58cba9aa508eca1ae83c3bcf33858b7ba06ca583
Reviewed-on: https://go-review.googlesource.com/c/net/+/231437
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
diff --git a/http2/server.go b/http2/server.go
index 69e1a77..345b7cd 100644
--- a/http2/server.go
+++ b/http2/server.go
@@ -2058,7 +2058,7 @@
var trailer http.Header
for _, v := range rp.header["Trailer"] {
for _, key := range strings.Split(v, ",") {
- key = http.CanonicalHeaderKey(strings.TrimSpace(key))
+ key = http.CanonicalHeaderKey(textproto.TrimString(key))
switch key {
case "Transfer-Encoding", "Trailer", "Content-Length":
// Bogus. (copy of http1 rules)