fix(-pr http11): disable retryablehttp HTTP/2 fallback when http11 protocol is forced#2438
Open
usernametooshort wants to merge 1 commit intoprojectdiscovery:mainfrom
Conversation
Incremental Security Review - Commit 3f038efReviewed the incremental changes between commit 0e65470 and 3f038ef. Only 1 file was modified (common/httpx/httpx.go) with 6 lines added. No exploitable security vulnerabilities were found in the changes. 📌 Key Takeaways
|
![neo-by-projectdiscovery-dev[bot]](https://avatars.githubusercontent.com/in/2878468?s=60&v=4){kind=small}
… protocol is set
When -pr http11 is used, httpx correctly sets TLSNextProto={} and
GODEBUG=http2client=0 to force HTTP/1.1. However retryablehttp-go's
automatic HTTP/2 fallback in do.go silently bypasses this:
if err is malformed HTTP/2 response {
resp, err = c.HTTPClient2.Do(req.Request) // <- ignores http11 config
}
This commit sets retryablehttpOptions.DisableHTTP2Fallback=true when
Protocol=="http11", ensuring the HTTP/1.1-only requirement is honoured
end-to-end.
Depends on: projectdiscovery/retryablehttp-go#532
Fixes: projectdiscovery#2240
usernametooshort
force-pushed
the
fix/http11-disables-http2-fallback
branch
from
0e65470 to
3f038ef
Compare
Author
|
Force-pushed to clean up the branch — it had accidentally included unrelated commits from the fork point. The PR now contains only the single-line fix: retryablehttpOptions.DisableHTTP2Fallback = trueThe SQL injection warning from Neo was from pre-existing code in the old diff, not from this PR. |
Mzack9999
requested changes
Mar 6, 2026
Member
Mzack9999
left a comment
Mzack9999
left a comment
There was a problem hiding this comment.
The PR should target the dev branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When
-pr http11is used, httpx correctly disables HTTP/2 at the transport level:However, retryablehttp-go has an automatic fallback in
do.gothat silently upgrades to HTTP/2 when it sees a malformed HTTP/2 error:This means
-pr http11has no effect for servers that respond with HTTP/2, because retryablehttp-go overrides the protocol choice viaHTTPClient2.Fixes #2240
Fix
This PR sets
retryablehttpOptions.DisableHTTP2Fallback = truewhenProtocol == "http11", which (via projectdiscovery/retryablehttp-go#532) skips theHTTPClient2.Dofallback and honours the HTTP/1.1-only requirement end-to-end.Dependency
Requires projectdiscovery/retryablehttp-go#532 to be merged first (adds the
DisableHTTP2Fallbackoption).Testing