The HTTP/1.1 specification says that we MUST implement HTTP/0.9 which we
don't do. We also fail to provide the correct error message if we
receive such a request. Here is a patch which will return a 505 error
instead of a 400 error if we receive no HTTP version which is the
indicator that this is an HTTP/0.9 request.
Cheers,
Emil
Index: usr.sbin/httpd/server_http.c
===================================================================
RCS file: /cvs/src/usr.sbin/httpd/server_http.c,v
retrieving revision 1.142
diff -u -p -u -p -r1.142 server_http.c
--- usr.sbin/httpd/server_http.c 29 Oct 2020 12:30:52 -0000
1.142
+++ usr.sbin/httpd/server_http.c 22 Nov 2020 16:42:18 -0000
@@ -313,7 +313,7 @@ server_read_http(struct bufferevent *bev
desc->http_version = strchr(desc->http_path, ' ');
if (desc->http_version == NULL) {
- server_abort_http(clt, 400, "malformed");
+ server_abort_http(clt, 505, "HTTP
Version Not Supported");
goto abort;
}