[wildfly-dev] Shall we limit size of the deployment in WildFly?
David M. Lloyd
david.lloyd at redhat.com
Tue Nov 3 08:36:42 EST 2015
On 11/03/2015 07:30 AM, Heiko W.Rupp wrote:
> On 3 Nov 2015, at 14:19, David M. Lloyd wrote:
>> I'm pretty sure that if an attacker has permission to upload deployments
>> to the server, they already essentially have control over the server.
>
> Well, uploads can be remotely, so this can be seen as a DOS
> attack vector that does not necessarily require privileges
> for (physical) access like (remote) shell.
It does require permissions within our security framework though. I'm
reasonably sure we're not letting anonymous users upload arbitrary data
to the server without authorization checks.
> And then I recall there being the zip bombs where a very small
> file would unzip to a huge one. This is probably nothing that
> could be caught by limiting the size of the upload.
Sure, but this is only one of many possible attacks that you can perform
if you have the ability to upload deployments to the server. Even with
a locked down security manager I would never recommend running untrusted
Java code on a server that isn't itself isolated and/or protected at an
OS/VM level.
--
- DML
More information about the wildfly-dev
mailing list