From b2d830e2aaca9344593c9dc40c06b3713ccc1b5e Mon Sep 17 00:00:00 2001 From: Martin Herkt Date: Mon, 30 Oct 2017 05:36:03 +0100 Subject: [PATCH] store_url: only accept identity content encoding Some servers (like IPFS gateways) will use chunked transfer encoding on anything but identity content encoding. Also, probably fix a potential zip bomb vulnerability. --- fhost.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fhost.py b/fhost.py index 75986bc..283c9a2 100755 --- a/fhost.py +++ b/fhost.py @@ -234,7 +234,8 @@ def store_url(url, addr): if is_fhost_url(url): return segfault(508) - r = requests.get(url, stream=True, verify=False) + h = { "Accept-Encoding" : "identity" } + r = requests.get(url, stream=True, verify=False, headers=h) try: r.raise_for_status()