From: Eric Hodel <drbrain@...7.net>
Date: 2012-06-09T10:16:08+09:00
Subject: [ruby-core:45531] Re: [ruby-trunk - Feature #6492][Open] Inflate all HTTP Content-Encoding: deflate, gzip, x-gzip responses by default

On Jun 8, 2012, at 5:28 PM, Eric Wong <normalperson@yhbt.net> wrote:

> I like Net::HTTP being able to inflate compressed responses.
> 
> However, I think doing this by default is exploitable by an evil server.
> A server could compress a huge file of zeroes to trigger an
> out-of-memory conditions in existing code that uses Net::HTTP.

Net::HTTP#get does this by default already, this patch (and #6494) make this the default for all requests.

If you aren't using the API to handle a compressed 100MB request (Net::HTTPResponse#read_body with a block) you probably can't handle an raw 100MB response, so what is the difference besides bandwidth cost of the server?