[wildfly-dev] Shall we limit size of the deployment in WildFly?
darran.lofthouse at jboss.com
Tue Nov 3 08:46:10 EST 2015
On 03/11/15 13:30, Heiko W.Rupp wrote:
> On 3 Nov 2015, at 14:19, David M. Lloyd wrote:
>> I'm pretty sure that if an attacker has permission to upload deployments
>> to the server, they already essentially have control over the server.
> Well, uploads can be remotely, so this can be seen as a DOS
> attack vector that does not necessarily require privileges
> for (physical) access like (remote) shell.
Any user performing these uploads would have an account for managing the
server in the first place - and if the user has that permission there is
nothing to stop their deployment from creating large files at runtime.
> And then I recall there being the zip bombs where a very small
> file would unzip to a huge one. This is probably nothing that
> could be caught by limiting the size of the upload.
> Do we know if WF continues to work when e.g. the partition for
> log files or other data is full?
More information about the wildfly-dev