golang/0007-release-branch.go1.17-net-http-don-t-strip-whitespac.patch

From 4ad62aecaf57ca3adc11a04bd2113bdbee6249c3 Mon Sep 17 00:00:00 2001
From: Damien Neil <dneil@google.com>
Date: Wed, 1 Jun 2022 11:17:07 -0700
Subject: [PATCH 03/11] [release-branch.go1.17] net/http: don't strip
 whitespace from Transfer-Encoding headers

Do not accept "Transfer-Encoding: \rchunked" as a valid TE header
setting chunked encoding.

Thanks to Zeyu Zhang (https://www.zeyu2001.com/) for identifying
the issue.

For #53188
For CVE-2022-1705
Fixes #53432

Change-Id: I1a16631425159267f2eca68056b057192a7edf6c
Reviewed-on: https://go-review.googlesource.com/c/go/+/409874
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
(cherry picked from commit e5017a93fcde94f09836200bca55324af037ee5f)
Reviewed-on: https://go-review.googlesource.com/c/go/+/415217
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Run-TryBot: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>

Conflict: NA
Reference: https://go-review.googlesource.com/c/go/+/415217
---
 src/net/http/serve_test.go | 1 +
 src/net/http/transfer.go   | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/net/http/serve_test.go b/src/net/http/serve_test.go
index 6394da3bb7c..bfac783e3a9 100644
--- a/src/net/http/serve_test.go
+++ b/src/net/http/serve_test.go
@@ -6189,6 +6189,7 @@ func TestUnsupportedTransferEncodingsReturn501(t *testing.T) {
 		"fugazi",
 		"foo-bar",
 		"unknown",
+		"\rchunked",
 	}
 
 	for _, badTE := range unsupportedTEs {
diff --git a/src/net/http/transfer.go b/src/net/http/transfer.go
index 85c2e5a360d..3894007d306 100644
--- a/src/net/http/transfer.go
+++ b/src/net/http/transfer.go
@@ -639,7 +639,7 @@ func (t *transferReader) parseTransferEncoding() error {
 	if len(raw) != 1 {
 		return &unsupportedTEError{fmt.Sprintf("too many transfer encodings: %q", raw)}
 	}
-	if !ascii.EqualFold(textproto.TrimString(raw[0]), "chunked") {
+	if !ascii.EqualFold(raw[0], "chunked") {
 		return &unsupportedTEError{fmt.Sprintf("unsupported transfer encoding: %q", raw[0])}
 	}
 
-- 
2.30.2