Revert "Defend against brotli decompression bombs (#8227)" #8229
Conversation
This reverts commit 84a028d.
I am not sure I agree with that.
Similar advice at google/brotli#960 I guess if my concern is true, this doesn't actually fix it really. |
|
Brotli isn't enabled by default - so you could make this a required param for adding it? |
|
Here’s where I landed after pondering this... The reported bomb is only destructive if the application layer does something trusting with it; perhaps by loading it all into memory, or by writing it all to a file system. And in these cases I don’t think we need Brotli, any problematic HTTP response could harm the receiver. Probably the most likely victim is a person writing a web crawler with OkHttp, because that naturally involves making requests to untrusted servers. But I believe the burden is on the application layer to limit how many resources are consumed by each response. |
Yep - gzip also https://en.wikipedia.org/wiki/Zip_bomb |
This reverts commit 84a028d.
I’ve been giving this change some thought, and I’ve decided that my original fix is a layering violation.
OkHttp’s ResponseBody API streams bytes to the reader, and there’s no reason to think the decompressed data is going to yield a crash. For example, the consumer might be doing something super basic, like playing a looping sound on a speaker.
If the client is going to make a call that could result in an overly-large response, the client should put limits on how many bytes it reads.