https://bz.apache.org/bugzilla/show_bug.cgi?id=65272
--- Comment #3 from Mark Thomas <ma...@apache.org> --- This stricter parsing was introduced as part of the fix for CVE-2020-1935. Because the fix was in response to a security issue, that makes it a lot less likely the current behaviour will be changed. I'll note that both RFC 7230 and RFC 2616 state that recipients MAY treat single LR as a line terminator. That makes the behaviour entirely optional and Tomcat is still fully HTTP spec compliant by opting to reject requests that use LF as the line terminator. I need to look into the details of that vulnerability to see if there are any options to relax the current behaviour without re-introducing a security concern. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
