stackoom
  简体   繁体   中英

WCF readerQuotas settings - drawbacks?

 原文  2009-05-07 14:49:52       wcf/ performance

Question

If a WCF service returns a byte array in its response message, there's a chance the data will exceed the default length of 16384 bytes. When this happens, the exception will be something like

The maximum array length quota (16384) has been exceeded while reading XML data. This quota may be increased by changing the MaxArrayLength property on the XmlDictionaryReaderQuotas object used when creating the XML reader.

All the advice I've seen on the web is just to increase the settings in the <readerQuotas> element to their maximum, so something like 

<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
              maxArrayLength="2147483647" maxBytesPerRead="2147483647"
              maxNameTableCharCount="2147483647" />

on the server, and similar on the client.

I would like to know of any drawbacks with this approach, particularly if the size of the byte array may only occassionally get very large. Do the settings above just make WCF declare a huge array for each request? Do you have to limit the maximum size of the data returned, or can you just specify a reasonably-sized buffer and get WCF to keep going until all the data is read?

Thanks!

2 answers

solution1
 33 ACCPTED  2009-05-07 15:22:32

The main drawback is a potential vulnerability to attacks - eg a malicious source can now flood your webserver with message up to 2 GB in size and potentially bring it down.

Of course, allowing 2 GB messages also puts some strain on your server in terms of memory consumption, since those messages need to be assembled in memory, in full (unless you use streaming protocols in WCF). If you have 10 clients sending you 2 GB messages, you'll need plenty of RAM on your server! :-)

Other than that, I don't see any real issues.

Marc

solution2
 8  2011-02-23 00:03:25

There is an article on MSDN which explains the various security considerations you need to think about when setting these values. Some denial-of-service attacks are those which eat up your memory and some of them (such as MaxDepth not being set properly) could cause fatal StackOverflowExceptions which could bring down your server in a single request.

http://msdn.microsoft.com/en-us/library/ms733135.aspx

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question WCF maxReceivedMessagesize and readerquotas what is <readerQuotas> in WCF Binding? WCF <readerQuotas> maxDepth Inspect ReaderQuotas settings via OperationContext WCF modifying ReaderQuotas for HttpTransportBindingElement in CustomBinding Issue related to WCF <readerQuotas> maxDepth Custom Message Encoder in WCF with support for ReaderQuotas readerQuotas vs request limit in WCF web.config Why WCF class Binding doesn't have member ReaderQuotas? Set ReaderQuotas.MaxStringContentLength, in WCF via reflection WSHttpBinding
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM