Accept request with gzip content encoding may make server vulnerable to zip bomb
In https://foss.heptapod.net/tryton/tryton/-/blame/0af8ec5d64f41d9e46bfb3531f28454fc53aa202/trytond/trytond/protocols/wrappers.py#L73 we decode gzip content but the request may come from malicious client and thus provide a content that enable a zip bomb.
I think we should restrict decoding gzip content only from authenticated users and reject with 415 Unsupported Media Type for others. We may also try to compute the compression rate and reject too high ratio but GzipFile does not seem to provide such information.