[release-branch.go1.13] all: merge release-branch.go1.13-security into release-branch.go1.13

Change-Id: Ifd5550b88100c8714ca11bf18b12aa197e3069e5

6 files changed, 56 insertions, 16 deletions

diff --git a/VERSION b/VERSION
index a5756b40f8..10dfea1f94 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-go1.13
\ No newline at end of file
+go1.13.1
\ No newline at end of file
diff --git a/doc/devel/release.html b/doc/devel/release.html
index 019c4e16af..f83e676ff4 100644
--- a/doc/devel/release.html
+++ b/doc/devel/release.html
@@ -30,6 +30,15 @@ Go 1.13 is a major release of Go.
 Read the <a href="/doc/go1.13">Go 1.13 Release Notes</a> for more information.
 </p>
 
+<h3 id="go1.13.minor">Minor revisions</h3>
+
+<p>
+go1.13.1 (released 2019/09/25) includes security fixes to the
+<code>net/http</code> and <code>net/textproto</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.13.1">Go
+1.13.1 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.12">go1.12 (released 2019/02/25)</h2>
 
 <p>
@@ -105,6 +114,13 @@ See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.9+labe
 1.12.9 milestone</a> on our issue tracker for details.
 </p>
 
+<p>
+go1.12.10 (released 2019/09/25) includes security fixes to the
+<code>net/http</code> and <code>net/textproto</code> packages.
+See the <a href="https://github.com/golang/go/issues?q=milestone%3AGo1.12.10">Go
+1.12.10 milestone</a> on our issue tracker for details.
+</p>
+
 <h2 id="go1.11">go1.11 (released 2018/08/24)</h2>
 
 <p>
diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index 61adda2604..1d1449aa65 100644
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -4755,6 +4755,10 @@ func TestServerValidatesHeaders(t *testing.T) {
 		{"foo\xffbar: foo\r\n", 400},                         // binary in header
 		{"foo\x00bar: foo\r\n", 400},                         // binary in header
 		{"Foo: " + strings.Repeat("x", 1<<21) + "\r\n", 431}, // header too large
+		// Spaces between the header key and colon are not allowed.
+		// See RFC 7230, Section 3.2.4.
+		{"Foo : bar\r\n", 400},
+		{"Foo\t: bar\r\n", 400},
 
 		{"foo: foo foo\r\n", 200},    // LWS space is okay
 		{"foo: foo\tfoo\r\n", 200},   // LWS tab is okay
diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
index 4fabddd367..e43c8956ee 100644
--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
@@ -5692,3 +5692,30 @@ func TestTransportIgnores408(t *testing.T) {
 	}
 	t.Fatalf("timeout after %v waiting for Transport connections to die off", time.Since(t0))
 }
+
+func TestInvalidHeaderResponse(t *testing.T) {
+	setParallel(t)
+	defer afterTest(t)
+	cst := newClientServerTest(t, h1Mode, HandlerFunc(func(w ResponseWriter, r *Request) {
+		conn, buf, _ := w.(Hijacker).Hijack()
+		buf.Write([]byte("HTTP/1.1 200 OK\r\n" +
+			"Date: Wed, 30 Aug 2017 19:09:27 GMT\r\n" +
+			"Content-Type: text/html; charset=utf-8\r\n" +
+			"Content-Length: 0\r\n" +
+			"Foo : bar\r\n\r\n"))
+		buf.Flush()
+		conn.Close()
+	}))
+	defer cst.close()
+	res, err := cst.c.Get(cst.ts.URL)
+	if err != nil {
+		t.Fatal(err)
+	}
+	defer res.Body.Close()
+	if v := res.Header.Get("Foo"); v != "" {
+		t.Errorf(`unexpected "Foo" header: %q`, v)
+	}
+	if v := res.Header.Get("Foo "); v != "bar" {
+		t.Errorf(`bad "Foo " header value: %q, want %q`, v, "bar")
+	}
+}
diff --git a/src/net/textproto/reader.go b/src/net/textproto/reader.go
index a5cab993b2..87f901b4fc 100644
--- a/src/net/textproto/reader.go
+++ b/src/net/textproto/reader.go
@@ -495,18 +495,12 @@ func (r *Reader) ReadMIMEHeader() (MIMEHeader, error) {
 			return m, err
 		}
 
-		// Key ends at first colon; should not have trailing spaces
-		// but they appear in the wild, violating specs, so we remove
-		// them if present.
+		// Key ends at first colon.
 		i := bytes.IndexByte(kv, ':')
 		if i < 0 {
 			return m, ProtocolError("malformed MIME header line: " + string(kv))
 		}
-		endKey := i
-		for endKey > 0 && kv[endKey-1] == ' ' {
-			endKey--
-		}
-		key := canonicalMIMEHeaderKey(kv[:endKey])
+		key := canonicalMIMEHeaderKey(kv[:i])
 
 		// As per RFC 7230 field-name is a token, tokens consist of one or more chars.
 		// We could return a ProtocolError here, but better to be liberal in what we
diff --git a/src/net/textproto/reader_test.go b/src/net/textproto/reader_test.go
index 6ff7eefe91..97fb1ab028 100644
--- a/src/net/textproto/reader_test.go
+++ b/src/net/textproto/reader_test.go
@@ -188,11 +188,10 @@ func TestLargeReadMIMEHeader(t *testing.T) {
 	}
 }
 
-// Test that we read slightly-bogus MIME headers seen in the wild,
-// with spaces before colons, and spaces in keys.
+// TestReadMIMEHeaderNonCompliant checks that we don't normalize headers
+// with spaces before colons, and accept spaces in keys.
 func TestReadMIMEHeaderNonCompliant(t *testing.T) {
-	// Invalid HTTP response header as sent by an Axis security
-	// camera: (this is handled by IE, Firefox, Chrome, curl, etc.)
+	// These invalid headers will be rejected by net/http according to RFC 7230.
 	r := reader("Foo: bar\r\n" +
 		"Content-Language: en\r\n" +
 		"SID : 0\r\n" +
@@ -202,9 +201,9 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) {
 	want := MIMEHeader{
 		"Foo":              {"bar"},
 		"Content-Language": {"en"},
-		"Sid":              {"0"},
-		"Audio Mode":       {"None"},
-		"Privilege":        {"127"},
+		"SID ":             {"0"},
+		"Audio Mode ":      {"None"},
+		"Privilege ":       {"127"},
 	}
 	if !reflect.DeepEqual(m, want) || err != nil {
 		t.Fatalf("ReadMIMEHeader =\n%v, %v; want:\n%v", m, err, want)