net/http: ReadRequest can stack overflow [1.15 backport]

[gopherbot]

@katiehockman requested issue #45710 to be considered for backport to the next 1.15 minor release.

@gopherbot please consider this for backport to 1.16.4 and 1.15.12, it's a security issue.

[dmitshur]

Approved as this is a security fix. This backport applies to both 1.16 (#45712) and 1.15 (this issue).

[gopherbot]

Change https://golang.org/cl/314650 mentions this issue: [release-branch.go1.15] http/httpguts: remove recursion in HeaderValuesContainsToken

[gopherbot]

Closed by merging 261fb518b1ed846d17ed4bf64d95e8a0a7894600 to release-branch.go1.15.

[dmitshur]

Reopening for update to the vendored copy in the Go tree (step 2 at https://golang.org/wiki/MinorReleases#cherry-pick-cls-for-vendored-golangorgx-packages).