Lws cares about trailing \n on a lot of these tests now. Make it check it still cares on one and remove
the trailing \n on the others.
There's 2 changes in the results about /..//?, it seems to apply / to uri arg 1. But it doesn't seem
to make a problem so just adapt the results for now.
This makes the URI argument processing split each parameter into
a "fragment". Processing header content as fragments already exists
in lws, because it's legal to deliver header content by repeating
the header.
Now there's an api to access individual fragments, also add the
code to the test server to print each URI argument separately.
Adapt attack.sh to parse the fragments.
Signed-off-by: Andy Green <andy.green@linaro.org>
If the URI coming from the client contains '?' then
- the URI part is terminated with a '\0'
- the remainder of the URI goes in a new header WSI_TOKEN_HTTP_URI_ARGS
- the remainder of the URI is not subject to path sanitization measures (it
still has %xx processing done on it)
In the test server, http requests now also dump header information to stderr.
The attack.sh script is simplified and can now parse the test server header dumps.
Signed-off-by: Andy Green <andy.green@linaro.org>
Seems like it would be a good idea to try to mess with the
server at least before someone else does it for us
Just run the script
$ test-server/attack.sh
it will spawn a test server and fire things at it. If you
see the end result
---- survived
then you should be OK.
Signed-off-by: Andy Green <andy.green@linaro.org>
