Re: [wildfly-dev] Shall we limit size of the deployment in WildFly?
On 03/11/15 13:30, Heiko W.Rupp wrote:
On 3 Nov 2015, at 14:19, David M. Lloyd wrote:
> I'm pretty sure that if an attacker has permission to upload deployments
> to the server, they already essentially have control over the server.
Well, uploads can be remotely, so this can be seen as a DOS
attack vector that does not necessarily require privileges
for (physical) access like (remote) shell.
Any user performing these uploads would have an account for managing the
server in the first place - and if the user has that permission there is
nothing to stop their deployment from creating large files at runtime.
And then I recall there being the zip bombs where a very small
file would unzip to a huge one. This is probably nothing that
could be caught by limiting the size of the upload.
Do we know if WF continues to work when e.g. the partition for
log files or other data is full?