WCF readerQuotas 设置 - 缺点? [英] WCF readerQuotas settings - drawbacks?

问题描述

如果 WCF 服务在其响应消息中返回一个字节数组，则数据可能会超过 16384 字节的默认长度.发生这种情况时，异常将类似于

If a WCF service returns a byte array in its response message, there's a chance the data will exceed the default length of 16384 bytes. When this happens, the exception will be something like

最大数组长度配额(16384)读取 XML 时已超出数据.此配额可能会增加更改 MaxArrayLength 属性在 XmlDictionaryReaderQuotas 上创建 XML 时使用的对象读者.

The maximum array length quota (16384) has been exceeded while reading XML data. This quota may be increased by changing the MaxArrayLength property on the XmlDictionaryReaderQuotas object used when creating the XML reader.

我在网上看到的所有建议都只是将 <readerQuotas> 元素中的设置增加到它们的最大值，例如

All the advice I've seen on the web is just to increase the settings in the <readerQuotas> element to their maximum, so something like

<readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647"
              maxArrayLength="2147483647" maxBytesPerRead="2147483647"
              maxNameTableCharCount="2147483647" />

在服务器上，在客户端上类似.

on the server, and similar on the client.

我想知道这种方法的任何缺点，特别是如果字节数组的大小可能只是偶尔变得非常大.上面的设置是否只是让 WCF 为每个请求声明一个巨大的数组?您是否必须限制返回数据的最大大小，或者您可以只指定一个合理大小的缓冲区并让 WCF 继续运行直到读取所有数据?

I would like to know of any drawbacks with this approach, particularly if the size of the byte array may only occassionally get very large. Do the settings above just make WCF declare a huge array for each request? Do you have to limit the maximum size of the data returned, or can you just specify a reasonably-sized buffer and get WCF to keep going until all the data is read?

谢谢！

推荐答案

主要缺点是潜在的攻击漏洞 - 例如恶意源现在可以用最大 2 GB 的消息淹没您的网络服务器，并有可能将其关闭.

The main drawback is a potential vulnerability to attacks - e.g. a malicious source can now flood your webserver with message up to 2 GB in size and potentially bring it down.

当然，允许 2 GB 消息也会在内存消耗方面给您的服务器带来一些压力，因为这些消息需要在内存中完全组装(除非您在 WCF 中使用流协议).如果您有 10 个客户端向您发送 2 GB 消息，则您的服务器上将需要足够的 RAM！:-)

Of course, allowing 2 GB messages also puts some strain on your server in terms of memory consumption, since those messages need to be assembled in memory, in full (unless you use streaming protocols in WCF). If you have 10 clients sending you 2 GB messages, you'll need plenty of RAM on your server! :-)

除此之外，我没有看到任何实际问题.

Other than that, I don't see any real issues.

马克

这篇关于WCF readerQuotas 设置 - 缺点?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！