Unrecognized schemas interpreted as HTTP

[jsha]

Steps to reproduce:

1. Parse a URL containing an invalid schema, e.g. "hxxp".
2. Request that URL.

Expected result:

Receive an error.

Actual result:

A request is made to the hostname and path from that URL, via HTTP.

This is a bit of a safety problem, since someone could typo the https schema as "htttps:", and the requests would silently be downgraded to HTTP.

use reqwest::{blocking, Url};

fn main() -> Result<(), Box<dyn std::error::Error>> {
    let url = Url::parse("hxxp://example.com").unwrap();
    let mut resp = blocking::get(url)?;
    resp.copy_to(&mut std::io::stdout())?;
    Ok(())
}

[jsha]

Spent some time poking at this. It looks like hyper requires that URLs have the "http:" scheme, but reqwest turns that off with enforce_http(false):

reqwest/src/connect.rs

Line 189 in d879d6f

http.enforce_http(false);

reqwest/src/connect.rs

Line 214 in d879d6f

http.enforce_http(false);

I tried removing those lines in a local checkout and confirmed that I got errors on unrecognized schemes. Of course, this causes hyper to reject "https:" URLs because it doesn't recognize them. It seems like reqwest needs some extra logic to enforce valid schemes, since it turns off hyper's validation.