Hi,
We have this bug [1] that shows a short "HTTP/0.9" response and how curl just
then ignores the data it receives.
HTTP/0.9 is the popular name for the never truly named HTTP version that
existed before HTTP/1.0 was born. It has no response headers at all but
instead it just sends data and requires a closed connection to signal the end
of the data.
libcurl supports HTTP/0.9 by default, which might come as a surprise to users.
Around 3% of users in the annual survey claim they use HTTP/0.9 with curl.
I would like to stop allowing HTTP/0.9 by default and instead make the support
opt-in and thus more explicit. I fear the implied support could become a
subtle security risk at some point to some, plus not supporting it will create
a better route forward for treating repsonses such as the one in [1] as an
error and not HTTP/0.9 data.
Does anyone has a use case or reasoning why going this way would be a bad
idea?
[1] = https://github.com/curl/curl/issues/2420
--
/ daniel.haxx.se
-------------------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-library
Etiquette: https://curl.haxx.se/mail/etiquette.html
