Security fix: defend against zip bombs.

[aaugustin]

websockets 4.0 was vulnerable to denial of service by memory exhaustion because it didn't enforce max_size when decompressing compressed messages.

[aaugustin]

I'm requesting a CVE for this issue.

[codecov]

Codecov Report

Merging #407 into master will not change coverage.
The diff coverage is 100%.

@@          Coverage Diff          @@
##           master   #407   +/-   ##
=====================================
  Coverage     100%   100%           
=====================================
  Files          29     29           
  Lines        3159   3170   +11     
  Branches      332    333    +1     
=====================================
+ Hits         3159   3170   +11

Impacted Files	Coverage Δ
websockets/framing.py	100% <100%> (ø)	⬆️
websockets/extensions/base.py	100% <100%> (ø)	⬆️
websockets/extensions/test_permessage_deflate.py	100% <100%> (ø)	⬆️
websockets/extensions/permessage_deflate.py	100% <100%> (ø)	⬆️
websockets/test_framing.py	100% <100%> (ø)	⬆️
websockets/test_client_server.py	100% <100%> (ø)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 2b89213...5b96bdc. Read the comment docs.

[aaugustin]

I reached out by email to maintainers of competing libraries which appear to be vulnerable to the same issue. (Not going to provide a list who for obvious reasons.)

[aaugustin]

Same fix in Tornado: tornadoweb/tornado#2391

[abergmann]

CVE-2018-1000518 was assigned to this issue.