Bug 5487: only trim SP and HTAB around field-value

[yadij]

No description provided.

[rousskov]

AFAICT, this PR does not address the essence of Bug 5487 because Squid still misinterprets non-WSP whitespace after framing-sensitive Content-Length values: Such whitespace is going to be removed by ContentLengthInterpreter::checkList()-called strListGetItem() that still uses xisspace() for trimming. The bug report uses Transfer-Encoding rather than Content-Length as an example, but Content-Length is an arguably worse attack vector because it is an end-to-end header!

There are other places in Squid code where xisspace() is used while parsing HTTP header values, including authentication-related header values. It could be argued that whatever happens inside a value is outside this PR scope, but strListGetItem() mentioned above right-trims the the last list item (among others), so it will remove non-WSP whitespace at the end of a header field value -- something this PR claims to prevent.

I see two reasonable ways to make progress:

1. Keep this PR code intact. Edit PR description to (a) explicitly state that Squid may still trim non-SP/HTAB characters around (and inside) HTTP field values and (b) explain why we are content with such incomplete/inconsistent whitespace treatment.
2. Adjust PR to ban xisspace() and equivalent from all known HTTP header field parsing code, including strListGetItem() and HttpHeader::getAuthToken().