Description: fix same-origin bypass and cache-poisoning attack via
 crafted HTTP host header
Origin: upstream, http://www.squid-cache.org/Versions/v3/3.5/changesets/squid-3.5-14038.patch
Origin: upstream, http://bazaar.launchpad.net/~squid/squid/3.5/revision/14049
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=823968

Index: squid3-3.5.12/src/mime_header.cc
===================================================================
--- squid3-3.5.12.orig/src/mime_header.cc	2015-12-02 13:10:29.000000000 -0500
+++ squid3-3.5.12/src/mime_header.cc	2016-06-07 08:08:08.087687848 -0400
@@ -36,11 +36,11 @@
 
     debugs(25, 5, "mime_get_header: looking for '" << name << "'");
 
-    for (p = mime; *p; p += strcspn(p, "\n\r")) {
-        if (strcmp(p, "\r\n\r\n") == 0 || strcmp(p, "\n\n") == 0)
+    for (p = mime; *p; p += strcspn(p, "\n")) {
+        if (strcmp(p, "\n\r\n") == 0 || strcmp(p, "\n\n") == 0)
             return NULL;
 
-        while (xisspace(*p))
+        if (*p == '\n')
             ++p;
 
         if (strncasecmp(p, name, namelen))