%00 is considered illegal in
the path part of the URL. A lot of user code handles it as a NUL terminated string, even though the header get apis are based around length. So it is disallowed to avoid ambiguity.
the name part of a urlarg, like ?name=value
%00 is valid in
When the parser sees %00 where it is not allowed, it simply drops the connection.
urlargs are allowed to contain non-NUL terminated binary. So it is important to use the length-based urlarg apis
lws_hdr_copy_fragment()lws_get_urlarg_by_name_safe()The non-length based urlarg api
lws_get_urlarg_by_name()...is soft-deprecated, it's still allowed but it will be fooled by the first %00 seen in the argument into truncating the argument. Use lws_get_urlarg_by_name_safe() instead.