[release-branch.go1.12] all: merge release-branch.go1.12-security into release-branch.go1.12

Change-Id: I6c822dfc305d629022c7da21ab399367bf021cf7

6 files changed, 47 insertions, 16 deletions

diff --git a/VERSION b/VERSION
index 486d1f31fd..40bdee30b1 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-go1.12.9
\ No newline at end of file
+go1.12.10
\ No newline at end of file
diff --git a/doc/devel/release.html b/doc/devel/release.html
index 437e3c60a4..1634fbe170 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -98,6 +98,13 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.9+labe
 1.12.9 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.12.10 (released 2019/09/25) includes security fixes to the
+<code>net/http</code> and <code>net/textproto</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.10">Go
+1.12.10 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.11">go1.11 (released 2018/08/24)</h2>
 
 <p>
diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index 6eb0088a96..89bfdfbb82 100644
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -4748,6 +4748,10 @@ func TestServerValidatesHeaders(t *testing.T) {
 		{"foo\xffbar: foo\r\n", 400},                         // binary in header
 		{"foo\x00bar: foo\r\n", 400},                         // binary in header
 		{"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large
+		// Spaces between the header key and colon are not allowed.
+		// See RFC 7230, Section 3.2.4.
+		{"Foo : bar\r\n", 400},
+		{"Foo\t: bar\r\n", 400},
 
 		{"foo: foo foo\r\n", 200},    // LWS space is okay
 		{"foo: foo\tfoo\r\n", 200},   // LWS tab is okay
diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
index 5c329543e2..5e5438a708 100644
--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
@@ -5133,3 +5133,30 @@ func TestTransportIgnores408(t *testing.T) {
 	}
 	t.Fatalf("timeout after %v waiting for Transport connections to die off", time.Since(t0))
 }
+
+func TestInvalidHeaderResponse(t *testing.T) {
+	setParallel(t)
+	defer afterTest(t)
+	cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+		conn, buf, _ := w.(Hijacker).Hijack()
+		buf.Write([]byte("HTTP/1.1 200 OK\r\n" +
+			"Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" +
+			"Content-Type: text/html; charset=utf-8\r\n" +
+			"Content-Length: 0\r\n" +
+			"Foo : bar\r\n\r\n"))
+		buf.Flush()
+		conn.Close()
+	}))
+	defer cst.close()
+	res, err := cst.c.Get(cst.ts.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+	if v := res.Header.Get("Foo"); v != "" {
+		t.Errorf(`unexpected "Foo" header: %q`, v)
+	}
+	if v := res.Header.Get("Foo "); v != "bar" {
+		t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar")
+	}
+}
diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
index 2c4f25d5ae..1a5e364cf7 100644
--- a/src/net/textproto/reader.go
+++ b/src/net/textproto/reader.go
@@ -493,18 +493,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
 			return m, err
 		}
 
-		// Key ends at first colon; should not have trailing spaces
-		// but they appear in the wild, violating specs, so we remove
-		// them if present.
+		// Key ends at first colon.
 		i := bytes.IndexByte(kv, ':')
 		if i < 0 {
 			return m, ProtocolError("malformed MIME header line: " + string(kv))
 		}
-		endKey := i
-		for endKey > 0 && kv[endKey-1] == ' ' {
-			endKey--
-		}
-		key := canonicalMIMEHeaderKey(kv[:endKey])
+		key := canonicalMIMEHeaderKey(kv[:i])
 
 		// As per RFC 7230 field-name is a token, tokens consist of one or more chars.
 		// We could return a ProtocolError here, but better to be liberal in what we
diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
index f85fbdc36d..b92fdcd3c7 100644
--- a/src/net/textproto/reader_test.go
+++ b/src/net/textproto/reader_test.go
@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.T) {
 	}
 }
 
-// Test that we read slightly-bogus MIME headers seen in the wild,
-// with spaces before colons, and spaces in keys.
+// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers
+// with spaces before colons, and accept spaces in keys.
 func TestReadMIMEHeaderNonCompliant(t *testing.T) {
-	// Invalid HTTP response header as sent by an Axis security
-	// camera: (this is handled by IE, Firefox, Chrome, curl, etc.)
+	// These invalid headers will be rejected by net/http according to RFC 7230.
 	r := reader("Foo: bar\r\n" +
 		"Content-Language: en\r\n" +
 		"SID : 0\r\n" +
@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
 	want := MIMEHeader{
 		"Foo":              {"bar"},
 		"Content-Language": {"en"},
-		"Sid":              {"0"},
-		"Audio Mode":       {"None"},
-		"Privilege":        {"127"},
+		"SID ":             {"0"},
+		"Audio Mode ":      {"None"},
+		"Privilege ":       {"127"},
 	}
 	if !reflect.DeepEqual(m, want) || err != nil {
 		t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want)