Sergey "Shnatsel" Davidoff

Heads up: this issue has been included in the [RustSec advisory database](https://github.com/RustSec/advisory-db). It will be surfaced by tools such as [cargo-audit](https://github.com/RustSec/cargo-audit) or [cargo-deny](https://github.com/EmbarkStudios/cargo-deny) from now on. Once a fix is...

FWIW the fuzzing corpus added in #31 already includes files that trigger identical execution paths, according to cargo-fuzz instrumentation anyway. It might be a better idea to check the fuzzing...

The difference is not large in absolute terms - it's 3ms with png vs 1ms with spng. But that could still be noticeable in a networked setting (2 more ms...

I can still reproduce with [this code](https://github.com/Shnatsel/rust-http-clients-smoke-test/blob/f206362f2e81521bbefb84007cdd25242f6db590/surf-smoke-test/src/main.rs). My code follows redirections and dumps headers to stdout. Could longboard be unaffected because it doesn't ever look at the headers?

It would be nice to expose this option in surf and accept HTTP 1.0 by default, since literally every other client I've tested seems to do so.

This is also reported for a number of other encodings, and other HTTP clients do not report an error here - neither firefox (which uses encoding-rs) nor `ureq` (a client...

Personally I'd expect an HTTP client to mirror the behavior of web browsers by default, but I agree the desired behavior in this case is not clear-cut.

> You can look it up for a particular distro, but Debian's rustc (for example) is often 6 months or more behind the latest stable. AFAIK Debian updates both `rustc`...

I'm also interested in this for `cargo auditable` and I'm happy to contribute a PR.

This has been explored already and found to be unworkable, see #155 and #70