[wildfly-dev] Shall we limit size of the deployment in WildFly?

Darran Lofthouse darran.lofthouse at jboss.com
Tue Nov 3 08:46:10 EST 2015


On 03/11/15 13:30, Heiko W.Rupp wrote:
> On 3 Nov 2015, at 14:19, David M. Lloyd wrote:
>> I'm pretty sure that if an attacker has permission to upload deployments
>> to the server, they already essentially have control over the server.
>
> Well, uploads can be remotely, so this can be seen as a DOS
> attack vector that does not necessarily require privileges
> for (physical) access like (remote) shell.

Any user performing these uploads would have an account for managing the 
server in the first place - and if the user has that permission there is 
nothing to stop their deployment from creating large files at runtime.

> And then I recall there being the zip bombs where a very small
> file would unzip to a huge one. This is probably nothing that
> could be caught by limiting the size of the upload.
>
> Do we know if WF continues to work when e.g. the partition for
> log files or other data is full?
>
>


More information about the wildfly-dev mailing list