There is an security issue on line 843/844. An attacker can manipulate the log via malicious request.
The method doService extracts the URI from the request and uses it unvalidated.
An attacker can forge the log by sending a request containing %0D%0A
The log will looks like: