BUG/MAJOR: http: don't read past buffer's end in http_replace_value

The function http_replace_value use bad variable to detect the end
of the input string.

Regression introduced by the patch "MEDIUM: regex: Remove null
terminated strings." (c9c2daf2)

We need to backport this patch int the 1.5 stable branch.

WT: there is no possibility to overwrite existing data as we only read
    past the end of the request buffer, to copy into the trash. The copy
    is bounded by buffer_replace2(), just like the replacement performed
    by exp_replace(). However if a buffer happens to contain non-zero data
    up to the next unmapped page boundary, there's a theorical risk of
    crashing the process despite this not being reproducible in tests.
    The risk is low because "http-request replace-value" did not work due
    to this bug so that probably means it's not used yet.
(cherry picked from commit 534101658d6e19aeb598bf7833a8ce167498c4ed)
1 file changed