1*1c60b9acSAndroid Build Coastguard Worker# Notes on http parser corner cases 2*1c60b9acSAndroid Build Coastguard Worker 3*1c60b9acSAndroid Build Coastguard Worker## Dealing with %00 4*1c60b9acSAndroid Build Coastguard Worker 5*1c60b9acSAndroid Build Coastguard Worker%00 is considered illegal in 6*1c60b9acSAndroid Build Coastguard Worker 7*1c60b9acSAndroid Build Coastguard Worker - the path part of the URL. A lot of user code handles it as a NUL terminated string, 8*1c60b9acSAndroid Build Coastguard Worker even though the header get apis are based around length. So it is disallowed to 9*1c60b9acSAndroid Build Coastguard Worker avoid ambiguity. 10*1c60b9acSAndroid Build Coastguard Worker 11*1c60b9acSAndroid Build Coastguard Worker - the name part of a urlarg, like ?name=value 12*1c60b9acSAndroid Build Coastguard Worker 13*1c60b9acSAndroid Build Coastguard Worker%00 is valid in 14*1c60b9acSAndroid Build Coastguard Worker 15*1c60b9acSAndroid Build Coastguard Worker - the value part of a urlarg, like ?name=value 16*1c60b9acSAndroid Build Coastguard Worker 17*1c60b9acSAndroid Build Coastguard WorkerWhen the parser sees %00 where it is not allowed, it simply drops the connection. 18*1c60b9acSAndroid Build Coastguard Worker 19*1c60b9acSAndroid Build Coastguard Worker## Note on proper urlarg handling 20*1c60b9acSAndroid Build Coastguard Worker 21*1c60b9acSAndroid Build Coastguard Workerurlargs are allowed to contain non-NUL terminated binary. So it is important to 22*1c60b9acSAndroid Build Coastguard Workeruse the length-based urlarg apis 23*1c60b9acSAndroid Build Coastguard Worker 24*1c60b9acSAndroid Build Coastguard Worker - `lws_hdr_copy_fragment()` 25*1c60b9acSAndroid Build Coastguard Worker - `lws_get_urlarg_by_name_safe()` 26*1c60b9acSAndroid Build Coastguard Worker 27*1c60b9acSAndroid Build Coastguard WorkerThe non-length based urlarg api 28*1c60b9acSAndroid Build Coastguard Worker 29*1c60b9acSAndroid Build Coastguard Worker - `lws_get_urlarg_by_name()` 30*1c60b9acSAndroid Build Coastguard Worker 31*1c60b9acSAndroid Build Coastguard Worker...is soft-deprecated, it's still allowed but it will be fooled by the first %00 32*1c60b9acSAndroid Build Coastguard Workerseen in the argument into truncating the argument. Use `lws_get_urlarg_by_name_safe()` 33*1c60b9acSAndroid Build Coastguard Workerinstead. 34