Lightweight C library for HTML5 websockets
Notes on http parser corner cases

Dealing with %00

%00 is considered illegal in

  • the path part of the URL. A lot of user code handles it as a NUL terminated string, even though the header get apis are based around length. So it is disallowed to avoid ambiguity.
  • the name part of a urlarg, like ?name=value

%00 is valid in

  • the value part of a urlarg, like ?name=value

When the parser sees %00 where it is not allowed, it simply drops the connection.

Note on proper urlarg handling

urlargs are allowed to contain non-NUL terminated binary. So it is important to use the length-based urlarg apis

The non-length based urlarg api soft-deprecated, it's still allowed but it will be fooled by the first %00 seen in the argument into truncating the argument. Use lws_get_urlarg_by_name_safe() instead.