When using the .size decompression limit, request & response decompression checks the size of compressed instead of decompressed bytes which allows to remotely cause a denial-of-service in a client/server.
Patches
Released on swift-nio-extras version 1.4.1.
Workarounds
Use the .ratio decompression limit.
Thanks
Many thanks to @adtrevor for the bug report & fix.
Impact
When using the
.sizedecompression limit, request & response decompression checks the size of compressed instead of decompressed bytes which allows to remotely cause a denial-of-service in a client/server.Patches
Released on
swift-nio-extrasversion 1.4.1.Workarounds
Use the
.ratiodecompression limit.Thanks
Many thanks to @adtrevor for the bug report & fix.