Hi team,
Every once in a while someone reports the compression bomb risk with curl and
--compressed as a vulnerability. We regularly dismiss that as we believe we
document this risk and behavior.
Still, the risk is there: if you use --compressed, a tiny download can be
decompressed into a HUGE destination file.
The --max-filesize option does not help here because it sets a limit to the
size of the downloaded file, and one of these "bombs" does not have to be a
big download.
But maybe we can do better?
Would it make sense to have some kind of limit to the "explosion factor" ?
Should perhaps the --max-filesize limit be applied on the uncompressed size as
well ? Should there be a new separate option? Or should we rather leave things
as they are?
--
/ daniel.haxx.se || https://rock-solid.curl.dev
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette: https://curl.se/mail/etiquette.html
