What archive? The idea was to use Transfer-Encoding: gzip, which means the compression is a transparent part of the HTTP request which the client HTTP library will automatically try to extract.
Unless I misunderstood, there was a gzip transfer encoded gzip.
The transfer-encoding means that the proxy has to decompress a 200kb request into a 2Gb response to the client, and the client will receive a 2Gb file that will expand to 20Gb.
Small VM gets knocked offline and the proxy gets grumpy with the client for large file transfers.
> Unless I misunderstood, there was a gzip transfer encoded gzip.
Yes, correct. A gzip bomb inside a gzip bomb that contains only null bytes, because it's much larger on the client side when unpacked.
A "normal" gzip bomb that would only leverage "Content-Encoding: gzip" or only "Transfer-Encoding: gzip" isn't really good as for compression ratio, because the sent file is in the megabytes range (I think it was around 4MBish when I tried with gzip -9?). I don't wanna send megabytes in response to clients, because that would be a potential DoS.
I'm using "archive" as a generic term for gzip/zip/etc.
But that's a good point; I'd not considered that if you compress the HTTP response it'll almost certainly get automatically extracted which "detonates" the (g)zip bomb.
