> Am 02.03.2026 um 09:53 schrieb Daniel Stenberg via curl-users
> <[email protected]>:
>
> Hi team,
>
> Every once in a while someone reports the compression bomb risk with curl and
> --compressed as a vulnerability. We regularly dismiss that as we believe we
> document this risk and behavior.
>
> Still, the risk is there: if you use --compressed, a tiny download can be
> decompressed into a HUGE destination file.
>
> The --max-filesize option does not help here because it sets a limit to the
> size of the downloaded file, and one of these "bombs" does not have to be a
> big download.
>
> But maybe we can do better?
>
> Would it make sense to have some kind of limit to the "explosion factor" ?
> Should perhaps the --max-filesize limit be applied on the uncompressed size
> as well ? Should there be a new separate option? Or should we rather leave
> things as they are?
My personal preference would be to apply this to the uncompressed size as well.
But other users' opinions and expectations are as relevant as mine. So, please
speak out.
Cheers,
Stefan
> --
>
> / daniel.haxx.se || https://rock-solid.curl.dev
> --
> Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
> Etiquette: https://curl.se/mail/etiquette.html
--
Unsubscribe: https://lists.haxx.se/mailman/listinfo/curl-users
Etiquette: https://curl.se/mail/etiquette.html
