-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
Platform: All, OS: All
DirectoryBrowserSupport has
if(zip)
{ rsp.setContentType("application/zip"); baseFile.createZipArchive(rsp.getOutputStream(),rest); return; }This seems like a possible DoS threat, or simply an overly easy way to bring
down a server by accident: if you ask to download a ZIP for a huge workspace,
the server could easily spend many minutes of heavy CPU time trying to compress
it for you. In particular, a web spider might trigger this link by accident.
I used to comment out this block when running my own Hudson installation; I
think my attention was drawn to it originally because there was some sort of
problem with the server not being responsive and a thread dump showed this code
being executed.
For smaller projects the ability to download ZIPs would seem useful, so I might
suggest a configuration option to let the user select whether or not to enable
this feature. (On by default for compatibility.)