https://bz.apache.org/bugzilla/show_bug.cgi?id=65272
--- Comment #4 from Miguel <miguelinh...@gmail.com> --- (In reply to Mark Thomas from comment #3) > This stricter parsing was introduced as part of the fix for CVE-2020-1935. > > Because the fix was in response to a security issue, that makes it a lot > less likely the current behaviour will be changed. > > I'll note that both RFC 7230 and RFC 2616 state that recipients MAY treat > single LR as a line terminator. That makes the behaviour entirely optional > and Tomcat is still fully HTTP spec compliant by opting to reject requests > that use LF as the line terminator. > > I need to look into the details of that vulnerability to see if there are > any options to relax the current behaviour without re-introducing a security > concern. Thank you for your work. Additional information: Now we see that the first version with problems are 9.0.31 (doesn't response) and with 9.0.33 the response is the reported originally. We wait for news. Regards -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
