Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WCF readerQuotas settings - drawbacks?

Tags:

performance

wcf

If a WCF service returns a byte array in its response message, there's a chance the data will exceed the default length of 16384 bytes. When this happens, the exception will be something like

The maximum array length quota (16384) has been exceeded while reading XML data. This quota may be increased by changing the MaxArrayLength property on the XmlDictionaryReaderQuotas object used when creating the XML reader.

All the advice I've seen on the web is just to increase the settings in the <readerQuotas> element to their maximum, so something like

<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
              maxArrayLength="2147483647" maxBytesPerRead="2147483647"
              maxNameTableCharCount="2147483647" />

on the server, and similar on the client.

I would like to know of any drawbacks with this approach, particularly if the size of the byte array may only occassionally get very large. Do the settings above just make WCF declare a huge array for each request? Do you have to limit the maximum size of the data returned, or can you just specify a reasonably-sized buffer and get WCF to keep going until all the data is read?

Thanks!

like image 481
Graham Clark Avatar asked May 07 '09 14:05

Graham Clark

2 Answers

The main drawback is a potential vulnerability to attacks - e.g. a malicious source can now flood your webserver with message up to 2 GB in size and potentially bring it down.

Of course, allowing 2 GB messages also puts some strain on your server in terms of memory consumption, since those messages need to be assembled in memory, in full (unless you use streaming protocols in WCF). If you have 10 clients sending you 2 GB messages, you'll need plenty of RAM on your server! :-)

Other than that, I don't see any real issues.

Marc

like image 175
marc_s Avatar answered Oct 02 '22 20:10

marc_s

There is an article on MSDN which explains the various security considerations you need to think about when setting these values. Some denial-of-service attacks are those which eat up your memory and some of them (such as MaxDepth not being set properly) could cause fatal StackOverflowExceptions which could bring down your server in a single request.

http://msdn.microsoft.com/en-us/library/ms733135.aspx

like image 33
Chris Gillum Avatar answered Oct 02 '22 20:10

Chris Gillum
Sign in to Comment

Related questions

Combined SOAP/JSON/XML in WCF, using UriTemplate
MVC2 Routing with WCF ServiceRoute: Html.ActionLink rendering incorrect links!
Load testing WCF service (hosted on IIS) [closed]
Adding WCF Service Reference with https endpoint
Why does AspNetCompatibilityRequirementsMode.Allowed fix this error?
How to log WCF message content?
Best practices for versioning your services with WCF?
Windows Mobile Development - Where to begin? [closed]
What are the impacts of setting establishSecurityContext="False" if i use https?
difference between WCF Services and Web Services and REST Service
How to use JAXBElement<String> in Web Service?
WCF service hosting in IIS 7.5 - The page you are requesting cannot be served because of the extension configuration [duplicate]
Removing anonymous event handler
Which files under Service References belong in source control. (Visual Studio)
How to research unmanaged memory leaks in .NET?
WCF Concurrent requests piling up on the server when using WSHttpBinding
WCF Service Reference - Getting "XmlException: Name cannot begin with the '<' character, hexadecimal value 0x3C" on Client Side
WCF proxy generation: svcutil.exe vs wsdl.exe
WCF NetTcpBinding Security - how does it work?
WCF - The message could not be dispatched because the service at the endpoint address ... is unavailable for the protocol of the address

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!