From 9a90ed20acf49ad48a2c0aa6a91699007e31f4c8 Mon Sep 17 00:00:00 2001
From: Andy Green <andy@warmcat.com>
Date: Sat, 7 May 2016 08:33:07 +0800
Subject: [PATCH] fix %3d handling in path part and add attack.sh

https://github.com/warmcat/libwebsockets/issues/518

Signed-off-by: Andy Green <andy@warmcat.com>
---
 lib/parsers.c         |  4 +++-
 test-server/attack.sh | 13 +++++++++++--
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/lib/parsers.c b/lib/parsers.c
index 0721a4b5..9ba3fd5c 100644
--- a/lib/parsers.c
+++ b/lib/parsers.c
@@ -635,7 +635,9 @@ lws_parse(struct lws *wsi, unsigned char c)
 				goto swallow;
 			}
 			/* uriencoded = in the name part, disallow */
-			if (c == '=' && enc && !wsi->u.hdr.post_literal_equal)
+			if (c == '=' && enc &&
+			    ah->frag_index[WSI_TOKEN_HTTP_URI_ARGS] &&
+			    !wsi->u.hdr.post_literal_equal)
 				c = '_';
 
 			/* after the real =, we don't care how many = */
diff --git a/test-server/attack.sh b/test-server/attack.sh
index 3bf4d675..a3732cb6 100755
--- a/test-server/attack.sh
+++ b/test-server/attack.sh
@@ -50,6 +50,14 @@ function check {
 		fi
 	fi
 
+	if [ "$1" == "0" ] ; then
+		a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep "get\ \ =" | tr -s ' ' | cut -d' ' -f4-`"
+		if [ "$a" != "$2" ] ; then
+			echo "URL path '$a' not $2"
+			exit 1
+		fi
+	fi
+
 	if [ "$1" == "1" ] ; then
 		a="`dd if=$LOG bs=1 skip=$LEN 2>/dev/null |grep URI\ Arg\ 1\: | tr -s ' ' | cut -d' ' -f5-`"
 		if [ "$a" != "$2" ] ; then
@@ -106,9 +114,10 @@ check 1 "key1=value1"
 check
 
 echo
-echo "---- ? processing (/test?key1%3d2=value1)"
+echo "---- ? processing (/t%3dest?key1%3d2=value1)"
 rm -f /tmp/lwscap
-echo -e "GET /test?key1%3d2=value1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+echo -e "GET /t%3dest?key1%3d2=value1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+check 0 "/t=est"
 check 1 "key1_2=value1"
 check
 
-- 
GitLab