Reject non-http, non-https URLs. (#921)

Normally hyper is in charge of rejecting non-http URLs, but because
reqwest supports both http and https URLs, it calls enforce_http(false),
disabling hyper's checks.

This adds back a check in reqwest itself, plus a test.

There may still need to be an additional check in connect.rs.

src/async_impl/client.rs

@@ -35,6 +35,7 @@ use super::Body;
 use crate::connect::{Connector, HttpConnector};
 #[cfg(feature = "cookies")]
 use crate::cookie;
+use crate::error;
 use crate::into_url::{expect_uri, try_uri};
 use crate::redirect::{self, remove_sensitive_headers};
 #[cfg(feature = "__tls")]
@@ -995,6 +996,9 @@ impl Client {
 
     pub(super) fn execute_request(&self, req: Request) -> Pending {
         let (method, url, mut headers, body, timeout) = req.pieces();
+        if url.scheme() != "http" && url.scheme() != "https" {
+            return Pending::new_err(error::url_bad_scheme(url));
+        }
 
         // insert default headers in the request headers
         // without overwriting already appended headers.
@@ -1496,3 +1500,18 @@ fn add_cookie_header(headers: &mut HeaderMap, cookie_store: &cookie::CookieStore
         );
     }
 }
+
+#[cfg(test)]
+mod tests {
+    #[tokio::test]
+    async fn execute_request_rejects_invald_urls() {
+        let url_str = "hxxps://www.rust-lang.org/";
+        let url = url::Url::parse(url_str).unwrap();
+        let result = crate::get(url.clone()).await;
+
+        assert!(result.is_err());
+        let err = result.err().unwrap();
+        assert!(err.is_builder());
+        assert_eq!(url_str, err.url().unwrap().as_str());
+    }
+}