httpbin icon indicating copy to clipboard operation
httpbin copied to clipboard
verified publisher icon postmanlabs

Content encoding of POST request body is ignored

Open pimterry opened this issue 6 years ago • 2 comments

If a request a POSTed with a gzipped body, and a content-encoding: gzip header, the content is not decoded.

For example when posting to /post with an content-type: application/json gzipped body & content encoding, the response contains "data": "data:application/octet-stream;base64,BASE64GZIPPEDDATA", and "json": null.

If there is no encoding used, json shows the parsed json correctly.

pimterry avatar Sep 04 '19 17:09 pimterry

web servers should not decompress gzipped content they dont trust. Webservers that do can get gzip bombed. that is a crafted payload that is extremely duplicative for example a 20GB file filled with just the letter a over and over. When gzipped it shrinks to a really small size, if transferred to the server, the server has no idea how big the uncompressed content will be, it might arrive with only a few hundred kb, but then when it decompresses it immediately takes up all the memory and crashes. for httpbin.org it should not expand compressed request bodies, but I could see a config flag for the docker version that allows a private instance to do this.

more info: https://en.wikipedia.org/wiki/Zip_bomb

raphaeleidus avatar Jul 07 '21 18:07 raphaeleidus

@pimterry I submitted a PR with support for this but it will only be for local usage not for the public facing instances due to attack vulnerability

raphaeleidus avatar Jul 08 '21 00:07 raphaeleidus