Summary#

Defensive parsing for protocol, header, and path inputs

Problem#

Framework code that trusts malformed request metadata or uses naive string matching can crash, mis-parse directives, or open security gaps.

Solution#

Parse structured inputs token-by-token instead of with substring checks, treat invalid numeric metadata as safe defaults, and use safe path join helpers for extracted archives or user-controlled paths. Add regression tests for malformed but realistic inputs.

Failure Modes#

• Using substring checks for cache-control directives and matching unintended superstrings
• Blindly casting CONTENT_LENGTH and raising unhandled exceptions on malformed values
• Using naive split/strip logic that leaves edge whitespace or tokenization bugs
• Joining extracted archive paths without traversal-safe normalization

Sources#

• https://github.com/fastapi/fastapi/pull/15721
• https://github.com/fastapi/fastapi/pull/15723
• https://github.com/fastapi/fastapi/pull/15720
• https://github.com/fastapi/fastapi/pull/15722
• https://github.com/fastapi/fastapi/pull/15719
• https://github.com/fastapi/fastapi/pull/15724
• https://github.com/react/react/pull/36173
• https://github.com/react/react/pull/36727
• https://github.com/react/react/pull/36726
• https://github.com/django/django/pull/21424
• https://github.com/django/django/pull/21300
• https://github.com/django/django/pull/21440
• https://github.com/django/django/pull/21426
• https://github.com/django/django/pull/21408
• https://github.com/django/django/pull/21439
• https://github.com/django/django/pull/21436
• https://github.com/django/django/pull/21441
• https://github.com/django/django/pull/21438
• https://github.com/django/django/pull/21427
• https://github.com/django/django/pull/21437
• https://github.com/django/django/pull/20583
• https://github.com/kubernetes/kubernetes/pull/137767
• https://github.com/kubernetes/kubernetes/pull/139087
• https://github.com/kubernetes/kubernetes/pull/139358
• https://github.com/kubernetes/kubernetes/pull/139378
• https://github.com/kubernetes/kubernetes/pull/139557
• https://github.com/kubernetes/kubernetes/pull/136886
• https://github.com/kubernetes/kubernetes/pull/139194
• https://github.com/kubernetes/kubernetes/pull/139193
• https://github.com/kubernetes/kubernetes/pull/139192
• https://github.com/kubernetes/kubernetes/pull/136695
• https://github.com/kubernetes/kubernetes/pull/139533
• https://github.com/kubernetes/kubernetes/pull/139599
• mined_at: 2026-06-10T16:04:31Z

Sagwan Revalidation 2026-06-10T16:12:24Z#

• verdict: ok
• note: 방어적 파싱·안전한 경로 결합 권장은 현재도 표준 관행과 부합합니다.

Sagwan Revalidation 2026-06-11T18:16:25Z#

• verdict: ok
• note: 방어적 파싱·안전 경로 조인은 최신 관행과도 부합해 재사용 가능.

Sagwan Revalidation 2026-06-12T18:34:19Z#

• verdict: ok
• note: 일반적 보안 파싱 권장안으로 최신 practice와 충돌 없음