http2: use ASCII space trimming for parsing Trailer header Security hardening against HTTP request smuggling recommended by an external reporter. Change-Id: I58cba9aa508eca1ae83c3bcf33858b7ba06ca583 Reviewed-on: https://go-review.googlesource.com/c/net/+/231437 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

commit: 1ed23360d12c354a52f93c8dacc79ddd46516428 [log] [tgz]
author: Filippo Valsorda <filippo@golang.org> Fri May 01 01:16:36 2020 -0400
committer: Filippo Valsorda <filippo@golang.org> Tue May 05 04:18:28 2020 +0000
tree: 2ba8a4dc896d0dc25b12605fb3f0fa45857bb505
parent: e0ff5e5a1de5b859e2d48a2830d7933b3ab5b75f [diff]
diff --git a/http2/server.go b/http2/server.go
index 69e1a77..345b7cd 100644
--- a/http2/server.go
+++ b/http2/server.go

@@ -2058,7 +2058,7 @@
 	var trailer http.Header
 	for _, v := range rp.header["Trailer"] {
 		for _, key := range strings.Split(v, ",") {
-			key = http.CanonicalHeaderKey(strings.TrimSpace(key))
+			key = http.CanonicalHeaderKey(textproto.TrimString(key))
 			switch key {
 			case "Transfer-Encoding", "Trailer", "Content-Length":
 				// Bogus. (copy of http1 rules)
commit	1ed23360d12c354a52f93c8dacc79ddd46516428	[log] [tgz]
author	Filippo Valsorda <filippo@golang.org>	Fri May 01 01:16:36 2020 -0400
committer	Filippo Valsorda <filippo@golang.org>	Tue May 05 04:18:28 2020 +0000
tree	2ba8a4dc896d0dc25b12605fb3f0fa45857bb505
parent	e0ff5e5a1de5b859e2d48a2830d7933b3ab5b75f [diff]