Add missing gzip footer check in ActiveSupport::Gzip.decompress #28158
I noticed that gzip data decompressed with
So calling Zlib::GzipReader#read isn't enough, the Zlib::GzipReader also needs to be closed to make sure the footer is checked.
I added a failing test that showed that the footer wasn't being checked by flipping some bits in the CRC32 field of the footer. Details on the gzip file format can be found in RFC 1952 which documents the end of the file as having a 4 byte CRC32 field and a 4 byte input size field.
To fix this bug I used
A gzip file has a checksum and length for the decompressed data in its footer which isn't checked by just calling Zlib::GzipReader#read. Calling Zlib::GzipReader#close must be called after reading to the end of the file causes this check to be done, which is done by Zlib::GzipReader.wrap after its block is called.