hgweb: document why we don't allow untrusted settings to control zlib
Added comment per discussion on mercurial-devel.
--- a/mercurial/hgweb/protocol.py Sun Aug 14 18:37:24 2016 -0700
+++ b/mercurial/hgweb/protocol.py Mon Aug 15 20:39:33 2016 -0700
@@ -74,6 +74,9 @@
self.ui.ferr, self.ui.fout = self.oldio
return val
def groupchunks(self, cg):
+ # Don't allow untrusted settings because disabling compression or
+ # setting a very high compression level could lead to flooding
+ # the server's network or CPU.
z = zlib.compressobj(self.ui.configint('server', 'zliblevel', -1))
while True:
chunk = cg.read(4096)