Created attachment 778403 [details] Cyberis Whitepaper - Evil HTTP Compression.pdf User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.71 Safari/537.36 Steps to reproduce: Compress 1TB of /dev/zero with four rounds of gzip compression (resulting file size 43k). Deliver compressed content to browser with 'Content-Encoding: gzip, gzip, gzip, gzip' Testing framework available here - https://github.com/cyberisltd/GzipBloat Actual results: Operating system resources are exhausted, ultimately resulting in a crash of the browser. Expected results: Browser should display a suitable error message indicating it is not possible to decompress content. If decompression is attempted, multiple calls to the decompression routine should be made to prevent exhaustion of memory.
Other vendors mentioned in the paper also aware of the issue.
You need to log in before you can comment on or make changes to this bug.