Lighttpd

The last two lighttpd releases explicitly highlighted an upcoming behavior change. Do you even read lighttpd's front page? https://www.lighttpd.net/

server.http-parseopts

"url-ctrls-reject" => "enable" 
        reject any percent-encoded control chars

Beginning in Q1 2019, lighttpd defaults are scheduled to change to perform limited URL normalization on HTTP requests.

Has this change happened yet?

The lighttpd default will become server.http-parseopts = (“url-normalize-unreserved” => “enable”, “url-path-2f-decode” => “enable”)

"url-ctrls-reject" isn't in there.

The recommended settings for server.http-parseopts are the following,
"url-ctrls-reject" => "enable",

What's the rationale for disallowing tab (and lf?) in query string arguments?

How small a spoon do you need to be fed with?

Check your lighttpd.conf where this has been enabled by default since Debian package lighttpd 1.4.52-4

Smallest spoon you've got please.

I know where it's enabled..
I don't know why it's enabled.
And I think it shouldn't be enabled.

I don't know why it's enabled.
And I think it shouldn't be enabled.

Your statement of these two sentences, one right after the other, demonstrates to everyone with a clue that you do not have one, and that you are an uninformed troll. You will continued to be treated as such until you have some self-realization that you are not half as clever as you think you are.

Your uninformed opinions continue to be unwelcome here. I do not have any responsibility to disabuse you from your poorly constructed conclusions. In many interactions on this forum and on Debian lighttpd bug reports, you have not demonstrated to me that you have good sense and you do not have any credibility with me. Please cease posting your opinions.

You still haven't explained why it's considered invalid..

You still haven't explained why it's considered invalid..

%09 and %7F (among others) are percent-encoded control characters.

"url-ctrls-reject" => "enable" 
    reject any percent-encoded control chars

If it is unclear to you that this is documented and intended behavior, please ask a friend to help you understand English. doc:server.http-parseopts
If it is unclear to you that this behavior is documented and user-configurable, please ask a friend to help you understand "configuration" files.

I'm asking you WHY it's intended behavior..

I can understand your frustration if someone isn't reading the release notes, but these sort of hostile responses are really unnecessary IMO

As a huge fan of (and fairly regular donator to) lighty, we already know you do a lot of great work with lighty. Nobody questions that.

But please, could you consider not treating questions as a personal criticism?
It's not healthy for the project. Better to just post a link to the RFC, or even just close the ticket without a response

Just my thoughts anyway. Feel free to ignore/dismiss/delete them

Not looking to resurrect an argument, I just want what is best for the projects longevity

request tracker ([commercial link deleted]) needs:

server.http-parseopts = ( "url-ctrls-reject" => "disable", "url-path-2f-decode" => "disable" )

to be working again. Just in case some other rt user will end up in this thread after googling.