forbid lone CR/LF and NUL in headers (docs)

docs/source/settings.rst

@@ -1410,7 +1410,7 @@ Strip spaces present between the header name and the the ``:``.
 This is known to induce vulnerabilities and is not compliant with the HTTP/1.1 standard.
 See https://portswigger.net/research/http-desync-attacks-request-smuggling-reborn.
 
-Use with care and only if necessary. May be removed in a future version.
+Use with care and only if necessary. Deprecated; scheduled for removal in 25.0.0
 
 .. versionadded:: 20.0.1
 
@@ -1429,9 +1429,13 @@ This permits request methods of length less than 3 or more than 20,
 methods with lowercase characters or methods containing the # character.
 HTTP methods are case sensitive by definition, and merely uppercase by convention.
 
-This option is provided to diagnose backwards-incompatible changes.
+If unset, Gunicorn will apply nonstandard restrictions and cause 400 response status
+in cases where otherwise 501 status is expected. While this option does modify that
+behaviour, it should not be depended upon to guarantee standards-compliant behaviour.
+Rather, it is provided temporarily, to assist in diagnosing backwards-incompatible
+changes around the incomplete application of those restrictions.
 
-Use with care and only if necessary. May be removed in a future version.
+Use with care and only if necessary. Temporary; scheduled for removal in 24.0.0
 
 .. versionadded:: 22.0.0
 
@@ -1450,7 +1454,8 @@ This disables the refusal of likely malformed request lines.
 It is unusual to specify HTTP 1 versions other than 1.0 and 1.1.
 
 This option is provided to diagnose backwards-incompatible changes.
-Use with care and only if necessary. May be removed in a future version.
+Use with care and only if necessary. Temporary; the precise effect of this option may
+change in a future version, or it may be removed altogether.
 
 .. versionadded:: 22.0.0
 
@@ -1469,7 +1474,7 @@ HTTP methods are case sensitive by definition, and merely uppercase by conventio
 
 This option is provided because previous versions of gunicorn defaulted to this behaviour.
 
-Use with care and only if necessary. May be removed in a future version.
+Use with care and only if necessary. Deprecated; scheduled for removal in 24.0.0
 
 .. versionadded:: 22.0.0
 
@@ -1512,9 +1517,18 @@ Process requests with both Transfer-Encoding and Content-Length
 
 This is known to induce vulnerabilities, but not strictly forbidden by RFC9112.
 
-Use with care and only if necessary. May be removed in a future version.
+In any case, the connection is closed after the malformed request,
+as it is unclear if and at which boundary additional requests start.
+
+Use with care and only if necessary.
+Temporary; will be changed or removed in a future version.
 
 .. versionadded:: 22.0.0
+.. versionchanged: 22.1.0
+   The newly added rejection of invalid and dangerous characters CR, LF and NUL in
+   header field values is also controlled with this setting. rfc9110 permits both
+   rejecting and SP-replacing. With this option set, Gunicorn passes the field value
+   unchanged. With this option unset, Gunicorn rejects the request.
 
 Server Socket
 -------------