https://bz.apache.org/bugzilla/show_bug.cgi?id=60735
--- Comment #2 from LiuYan 刘研 <lovet...@qq.com> --- (In reply to Mark Thomas from comment #1) > The characters are invalid so the 400 response is correct. The validation of > request lines was tightened up as a result of CVE-2016-6816. Thanks for the quick response. So, does this means 'URIEncoding' parameter is useless now and will be removed in the future? I actually like this convenient parameter, clear URL string without URL-encoded is my favorite, and security isn't my first concern. So it would be nice if 'URIEncoding parameter enabled' is configurable for both security and convenience (disabled by default for security). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org