CURLOPT_ACCEPT_ENCODING.md: warn about the expansion

also mention it in KNOWN_RISKS.md

Closes #20031

diff --git a/docs/KNOWN_RISKS.md b/docs/KNOWN_RISKS.md
index 3773b94f86bd70e570d5c1982864ccc5c4436b39..6138df7f2657f5ccce7adfb2bbe06958b3e1ce4d 100644 (file)
--- a/docs/KNOWN_RISKS.md
+++ b/docs/KNOWN_RISKS.md
@@ -9,6 +9,8 @@ SPDX-License-Identifier: curl
 This is an incomplete list of known risks when running and using curl and
 libcurl.
 
+# Risks
+
 ## Insecure transfers
 
 When using curl to perform transfers with protocols that are insecure or the
@@ -136,3 +138,9 @@ authentication.
 
 curl users should consider switching to servers and options that use modern
 and secure algorithms.
+
+## Compression bombs
+
+When asking curl or libcurl to automatically decompress data on arrival, there
+is a risk that the size of the output from the decompression process ends up
+many times larger than the input data size.

diff --git a/docs/libcurl/opts/CURLOPT_ACCEPT_ENCODING.md b/docs/libcurl/opts/CURLOPT_ACCEPT_ENCODING.md
index 05e7d19a350092ca4be34c6f40b8d25c41e3c9e0..6594061504cb2ff59ee39a850140651db8d89c13 100644 (file)
--- a/docs/libcurl/opts/CURLOPT_ACCEPT_ENCODING.md
+++ b/docs/libcurl/opts/CURLOPT_ACCEPT_ENCODING.md
@@ -56,18 +56,19 @@ You can also opt to just include the Accept-Encoding: header in your request
 with CURLOPT_HTTPHEADER(3) but then there is no automatic decompressing when
 receiving data.
 
-This is a request, not an order; the server may or may not do it. This option
-must be set (to any non-NULL value) or else any unsolicited encoding done by
-the server is ignored.
+Setting this option is a request, not an order; the server may or may not do
+it. It must be set (to any non-NULL value) or else any encoding done by the
+server is ignored.
 
 Servers might respond with Content-Encoding even without getting a
 Accept-Encoding: in the request. Servers might respond with a different
 Content-Encoding than what was asked for in the request.
 
-The Content-Length: servers send for a compressed response is supposed to
-indicate the length of the compressed content so when auto decoding is enabled
-it may not match the sum of bytes reported by the write callbacks (although,
-sending the length of the non-compressed content is a common server mistake).
+The Content-Length: header field servers send for a compressed response is
+supposed to indicate the length of the compressed content so when auto
+decoding is enabled it may not match the sum of bytes reported by the write
+callbacks (although, sending the length of the non-compressed content is a
+common server mistake).
 
 The application does not have to keep the string around after setting this
 option.
@@ -75,6 +76,9 @@ option.
 Using this option multiple times makes the last set string override the
 previous ones.
 
+**WARNING**: when decompressing data, even tiny transfers might be expanded
+and generate a huge amount of bytes.
+
 # HISTORY
 
 This option was called CURLOPT_ENCODING before 7.21.6