FIX HTTP/2 disabled support not working as intended #697
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
The parameter
-usehttp2
is disabled by default, however the ffuf client doesn't actually disable HTTP/2 requests when that parameter is set tofalse
.As it is officially documented
Starting with Go 1.6, the http package has transparent support for the HTTP/2 protocol when using HTTPS. Programs that must disable HTTP/2 can do so by setting Transport.TLSNextProto (for clients) or Server.TLSNextProto (for servers) to a non-nil, empty map.
However, this isn't being done in the runner client,
ffuf/pkg/runner/simple.go
Line 51 in 5fd821c
Not forcing HTTP/2 is not the same as disabling HTTP/2.
I have modified the client code to disable HTTP/2 requests completely if the parameter
-usehttp2
, by setting an empty map underTLSNextProto
:transport.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}