Description: Deny compressed content from unauthenticated requests
 This patch fixes the vulnerabilty to zip bomb attacks via
 decoded gzip content from unauthenticated users.
 https://discuss.tryton.org/t/security-release-for-issue-13142/7196
Author: Cédric Krier <cedric.krier@b2ck.com>
Bug: https://foss.heptapod.net/tryton/tryton/-/issues/13142

--- a/trytond/protocols/wrappers.py
+++ b/trytond/protocols/wrappers.py
@@ -53,8 +53,11 @@
     @property
     def decoded_data(self):
         if self.content_encoding == 'gzip':
-            zipfile = gzip.GzipFile(fileobj=BytesIO(self.data), mode='rb')
-            return zipfile.read()
+            if self.user_id:
+                zipfile = gzip.GzipFile(fileobj=BytesIO(self.data), mode='rb')
+                return zipfile.read()
+            else:
+                abort(HTTPStatus.UNSUPPORTED_MEDIA_TYPE)
         else:
             return self.data