> Unless I misunderstood, there was a gzip transfer encoded gzip.
Yes, correct. A gzip bomb inside a gzip bomb that contains only null bytes, because it's much larger on the client side when unpacked.
A "normal" gzip bomb that would only leverage "Content-Encoding: gzip" or only "Transfer-Encoding: gzip" isn't really good as for compression ratio, because the sent file is in the megabytes range (I think it was around 4MBish when I tried with gzip -9?). I don't wanna send megabytes in response to clients, because that would be a potential DoS.
Yes, correct. A gzip bomb inside a gzip bomb that contains only null bytes, because it's much larger on the client side when unpacked.
A "normal" gzip bomb that would only leverage "Content-Encoding: gzip" or only "Transfer-Encoding: gzip" isn't really good as for compression ratio, because the sent file is in the megabytes range (I think it was around 4MBish when I tried with gzip -9?). I don't wanna send megabytes in response to clients, because that would be a potential DoS.
edit: also note the sibling comment here: https://news.ycombinator.com/item?id=41923635#41936586