DirectoryBrowserSupport has

if(zip)

{ rsp.setContentType("application/zip"); baseFile.createZipArchive(rsp.getOutputStream(),rest); return; }

This seems like a possible DoS threat, or simply an overly easy way to bring
down a server by accident: if you ask to download a ZIP for a huge workspace,
the server could easily spend many minutes of heavy CPU time trying to compress
it for you. In particular, a web spider might trigger this link by accident.

I used to comment out this block when running my own Hudson installation; I
think my attention was drawn to it originally because there was some sort of
problem with the server not being responsive and a thread dump showed this code
being executed.

For smaller projects the ability to download ZIPs would seem useful, so I might
suggest a configuration option to let the user select whether or not to enable
this feature. (On by default for compatibility.)