Vendored llhttp 8.1.1 is vulnerable

[mgorny]

httptools is currently vendoring llhttp 8.1.1 which is vulnerable to CVE-2024-27982.

[mgorny]

And after upgrading to 8.1.2, I'm seeing failures, because it no longer accepts multiline headers. FWICS, it may be possible to avoid this by using llhttp_set_lenient_headers(), but I guess that reintroduces the vulnerability. Alternatively, the tests could be updated not to rely on that anymore but I don't know if that's going to break consumers or not.

[elprans]

Yeah, I went with the latter approach in #113, though maybe httptools should expose the lenient_headers opt-in in case people rely on it.

[elprans]

Alright, I rerolled #113 with leniency flags exposed.

[mgorny]

Thanks!