To be clear, this bug is in example code to demonstrate how one uses libnghttp2, not in any actual libnghttp2 code.
The upstream developer Tatsuhiro Tsujikawa (offlist) said:
> Thank you for the security analysis.
> examples/client.c is an example program to show how to use libnghttp2, and we made it intentionally simple.
> In addition, since developers often use self-signed certificates for developments, we omitted any verification after handshake. We never expect to see this as used in production scenario.
Ruan, I believe the upstream developer is waiting on you to respond with how you would like them to proceed: either a block comment or removal of the example code.
To be clear, this bug is in example code to demonstrate how one uses libnghttp2, not in any actual libnghttp2 code.
The upstream developer Tatsuhiro Tsujikawa (offlist) said:
> Thank you for the security analysis.
> examples/client.c is an example program to show how to use libnghttp2, and we made it intentionally simple.
> In addition, since developers often use self-signed certificates for developments, we omitted any verification after handshake. We never expect to see this as used in production scenario.
Ruan, I believe the upstream developer is waiting on you to respond with how you would like them to proceed: either a block comment or removal of the example code.