fix(-pr http11): disable HTTP/2 fallback in retryablehttp when http11 protocol is set

When -pr http11 is used, httpx correctly sets TLSNextProto={} and
GODEBUG=http2client=0 to force HTTP/1.1. However retryablehttp-go's
automatic HTTP/2 fallback in do.go silently bypasses this:

  if err is malformed HTTP/2 response {
      resp, err = c.HTTPClient2.Do(req.Request)  // <- ignores http11 config
  }

This commit sets retryablehttpOptions.DisableHTTP2Fallback=true when
Protocol=="http11", ensuring the HTTP/1.1-only requirement is honoured
end-to-end.

Depends on: projectdiscovery/retryablehttp-go#532
Fixes: #2240

Author: usernametooshort

common/httpx/httpx.go

@@ -154,9 +154,13 @@ func New(options *Options) (*HTTPX, error) {
 	}
 
 	if httpx.Options.Protocol == "http11" {
-		// disable http2
+		// disable http2 at transport level
 		_ = os.Setenv("GODEBUG", "http2client=0")
 		transport.TLSNextProto = map[string]func(string, *tls.Conn) http.RoundTripper{}
+		// also disable the HTTP/2 fallback in retryablehttp-go so that
+		// malformed-HTTP/2 errors do not cause a silent protocol upgrade
+		// via HTTPClient2 (see projectdiscovery/retryablehttp-go#532)
+		retryablehttpOptions.DisableHTTP2Fallback = true
 	}
 
 	if httpx.Options.SniName != "" {