uridecoding disallow uriencoded equals in name part

Signed-off-by: Andy Green <andy.green@linaro.org>

lib/parsers.c

@@ -334,11 +334,20 @@ int lws_parse(struct lws *wsi, unsigned char c)
 				if (ah->nfrag >= ARRAY_SIZE(ah->frags))
 					goto excessive;
 				/* start next fragment after the & */
+				wsi->u.hdr.post_literal_equal = 0;
 				ah->frags[ah->nfrag].offset = ah->pos;
 				ah->frags[ah->nfrag].len = 0;
 				ah->frags[ah->nfrag].nfrag = 0;
 				goto swallow;
 			}
+			/* uriencoded = in the name part, disallow */
+			if (c == '=' && enc && !wsi->u.hdr.post_literal_equal)
+				c = '_';
+
+			/* after the real =, we don't care how many = */
+			if (c == '=' && !enc)
+				wsi->u.hdr.post_literal_equal = 1;
+
 			/* + to space */
 			if (c == '+' && !enc)
 				c = ' ';
@@ -413,6 +422,7 @@ int lws_parse(struct lws *wsi, unsigned char c)
 			ah->frags[ah->nfrag].len = 0;
 			ah->frags[ah->nfrag].nfrag = 0;
 
+			wsi->u.hdr.post_literal_equal = 0;
 			ah->frag_index[WSI_TOKEN_HTTP_URI_ARGS] = ah->nfrag;
 			wsi->u.hdr.ups = URIPS_IDLE;
 			goto swallow;

lib/private-libwebsockets.h

@@ -810,6 +810,7 @@ struct _lws_header_related {
 	enum uri_path_states ups;
 	enum uri_esc_states ues;
 	char esc_stash;
+	char post_literal_equal;
 };
 
 struct _lws_websocket_related {

test-server/attack.sh

@@ -90,6 +90,12 @@ echo -e "GET /cgi-bin/settings.js?key1=value1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SE
 check 1 "key1=value1"
 check
 
+echo
+echo "---- ? processing (/test?key1%3d2=value1)"
+rm -f /tmp/lwscap
+echo -e "GET /test?key1%3d2=value1 HTTP/1.1\x0d\x0a\x0d\x0a" | nc $SERVER $PORT | sed '1,/^\r$/d'> /tmp/lwscap
+check 1 "key1_2=value1"
+check
 
 echo
 echo "---- ? processing (%2f%2e%2e%2f%2e./test.html?arg=1)"