Notes on http parser corner cases

Dealing with %00

%00 is considered illegal in

• the path part of the URL. A lot of user code handles it as a NUL terminated string, even though the header get apis are based around length. So it is disallowed to avoid ambiguity.
• the name part of a urlarg, like ?name=value

%00 is valid in

• the value part of a urlarg, like ?name=value

When the parser sees %00 where it is not allowed, it simply drops the connection.

Note on proper urlarg handling

urlargs are allowed to contain non-NUL terminated binary. So it is important to use the length-based urlarg apis

• lws_hdr_copy_fragment()
• lws_get_urlarg_by_name_safe()

The non-length based urlarg api

• lws_get_urlarg_by_name()

...is soft-deprecated, it's still allowed but it will be fooled by the first %00 seen in the argument into truncating the argument. Use lws_get_urlarg_by_name_safe() instead.