{"author":"Sören Tempel","author_email":"soeren+git@soeren-tempel.net","author_time":1744474187,"commit_time":1744751350,"committer":"Daniel Stenberg","committer_email":"daniel@haxx.se","hash":"fbdb1e1dbe824a72f41a104fa26e555cb0b6b45a","message":"http: in alt-svc negotiation only allow supported HTTP versions\n\nWithout this patch, the handling of the alt-svc header added via\n279a4772ae67dd4d9770e11e60040f9113b1c345 in curl-8.13.0 attempts to\nconnect to alternative services via different HTTP versions, even if the\ntarget HTTP version is not supported by curl (i.e., not enabled at\ncompile-time). If I understand the code and RFC 7838 correctly, then we\nshould only attempt to migrate to supported protocols. Therefore,\n`allowed_apns` should only contain such protocols, and we need to guard\nits modification with `ifdefs` for supported HTTP versions.\n\nThis was discovered in a downstream bug report in Alpine Linux [1] where\nit was reported that a Matrix client (using libcurl) was defunct after\nthe upgrade to curl-8.13.0. Further debugging revealed that this was due\nto the Matrix server sending a `alt-svc: h3=\":443\";` HTTP header,\ncausing curl to attempt migration to HTTP3 even though Alpine's curl\nversion is compiled without HTTP3 support.\n\nI am not sure if this is the best place in the code to address this\nor if the `allowed` bitmask shouldn't contain unsupported versions\nin the first place. However, since there are existing `ifdefs` in\nthis function for source (not destination) ALP selection, it may\nbe a good fit to address this here.\n\n[1]: https://gitlab.alpinelinux.org/alpine/aports/-/issues/17062\n\nCloses #17037\n","parents":["a0ebac01309e45851ac3304c528893686eff9ac7"],"tree_hash":"05ff5a521f13d9ddbdd1d8bf4398a18d3378aded"}