https://bz.apache.org/bugzilla/show_bug.cgi?id=60735

--- Comment #2 from LiuYan 刘研 <lovet...@qq.com> ---
(In reply to Mark Thomas from comment #1)
> The characters are invalid so the 400 response is correct. The validation of
> request lines was tightened up as a result of CVE-2016-6816.

Thanks for the quick response.

So, does this means 'URIEncoding' parameter is useless now and will be removed
in the future?




I actually like this convenient parameter, clear URL string without URL-encoded
is my favorite, and security isn't my first concern.

So it would be nice if 'URIEncoding parameter enabled' is configurable for both
security and convenience (disabled by default for security).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to