The REST over WebSocket path now properly prevents non-GET methods from
being executed on inbound WebSockets.
* The query parameters from the original incoming GET request that caused the
upgrade to WebSocket are now passed to all REST requests that come from the
client. This ensures that if the client authenticated with a read-only
userid using the "api_key" query_string parameter, REST requests coming
in over the WebSocket will only be able to execute GETs on resources.
The HTTP headers were already passed to the REST requests so if the
client had authenticated via an "Authorization" it was properly handled.
* New tests have been added to test_ari.c to check that read-only users
are properly denied access to resources using non-GET methods. Several
memory leaks were also squashed.
Resolves: #GHSA-wcvv-g26m-wx5c
George Joseph
1088d0ecca