Decompression security note
qraynaud opened this issue · comments
Is there any reason to keep decompression deactivated by default from now on?
On a side note, the documentation still mentions about the decompress
option: Do not enable unless required (see security note)
. I can't see any security note anymore (I remember the one that was there before when the decompression algorithm did not came from node's core). Maybe this note should be removed?
I guess I missed the note reference. I still don't think it should be enabled be default, as it still introduces an extra attack vector. Anyone who needs it can easily enable.