daniel:// stenberg://On #curl's --max-filesize and --compressed. Should we do something about the "compression bomb" risk?
ShutterBugged@bagder I'd probably add --max-decompressed-filesize. I can think of a few scenarios where tying it to --max-filesize would cause well-intentioned/reasonable apps to explode. It does strike me as something curl could make a lot easier to mitigate, not just document, and that makes me thing this is well worth doing.
@bagder As for apps: I could see someone with a package manager or similar downloading compressed archives over a metered connection. They could use --max-filesize to stay under their bandwidth cap. But, if that limit suddenly applies to the decompressed files, valid download-and-unpack operations are going to start failing.