From 9a90ed20acf49ad48a2c0aa6a91699007e31f4c8 Mon Sep 17 00:00:00 2001 From: Andy Green Date: Sat, 7 May 2016 08:33:07 +0800 Subject: fix %3d handling in path part and add attack.sh https://github.com/warmcat/libwebsockets/issues/518 Signed-off-by: Andy Green --- lib/parsers.c | 4 +++- test-server/attack.sh | 13 +++++++++++-- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/lib/parsers.c b/lib/parsers.c index 0721a4b5..9ba3fd5c 100644 --- a/lib/parsers.c +++ b/lib/parsers.c @@ -635,7 +635,9 @@ lws_parse(struct lws *wsi, unsigned char c) goto swallow; } /* uriencoded = in the name part, disallow */ - if (c == '=' && enc && !wsi->u.hdr.post_literal_equal) + if (c == '=' && enc && + ah->frag_index[WSI_TOKEN_HTTP_URI_ARGS] && + !wsi->u.hdr.post_literal_equal) c = '_'; /* after the real =, we don't care how many = */ diff --git a/test-server/attack.sh b/test-server/attack.sh index 3bf4d675..a3732cb6 100755 --- a/test-server/attack.sh +++ b/test-server/attack.sh @@ -50,6 +50,14 @@ function check { fi fi + if [ "$1" == "0" ] ; then + a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep "get\ \ =" | tr -s ' ' | cut -d' ' -f4-`" + if [ "$a" != "$2" ] ; then + echo "URL path '$a' not $2" + exit 1 + fi + fi + if [ "$1" == "1" ] ; then a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep URI\ Arg\ 1\: | tr -s ' ' | cut -d' ' -f5-`" if [ "$a" != "$2" ] ; then @@ -106,9 +114,10 @@ check 1 "key1=value1" check echo -echo "---- ? processing (/test?key1%3d2=value1)" +echo "---- ? processing (/t%3dest?key1%3d2=value1)" rm -f /tmp/lwscap -echo -e "GET /test?key1%3d2=value1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap +echo -e "GET /t%3dest?key1%3d2=value1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap +check 0 "/t=est" check 1 "key1_2=value1" check -- cgit v1.2.3